A recent report from Health and Human Services (HHS) Health Sector Cybersecurity Coordination Center (HC3) highlights the Chinese state-sponsored threat group APT41 continues to pose a danger to the healthcare sector. The report disclosed the following:
European countries are on high alert after leaks of gas started to break out of both branches of the Nord Stream natural gas pipelines in the Baltic Sea. The North Stream 1 (NS1), which runs from Russia to Germany for 1,200km under the Baltic, previously provided around a quarter of total EU yearly imports of Russian natural gas. The NS1 pipeline has been defunct since summer, when Russia cited technical difficulties in maintenance as reasons for the gas delivery stoppage, which was dismissed by experts as a thinly veiled excuse for the usage of the energy flows to Europe as a political weapon, exerting pressure on the EU. The NS2 pipeline was scheduled to become operational earlier this year but the process was halted by the German government due to Russian aggression in Ukraine. While neither pipeline was delivering gas at the moment the leaks were discovered, it was still full of gas for operational reasons.
Western authorities blamed the leak on Russian sabotage and the internet was rife with speculation about cyber-attacks causing the leak, comparing the situation to a 1982 Soviet gas pipeline explosion, reportedly caused by a CIA-planted trojan in a pipeline-control software the Soviets stole in Canada. However, Danish and Swedish authorities revealed that according to seismological readings, a series of explosions of the Danish island of Bornholm preceded the leaks. The pipeline is 40mm of steel enveloped in a thick concrete mantle and experts are ruling out the possibility of natural leaks or accidents in the freshly laid pipeline, especially given the circumstances of undersea explosions in the vicinity and the synchronization with the Baltic Pipe inauguration, scheduled just days after the attack. The Baltic pipeline is now linking Norway and Poland (and by extension countries in Central Europe) and experts read the explosion as a potential warning to EU energy infrastructure.
Russia has followed the gas leaks by social media information operation campaigns blaming the sabotage on the USA and then Ukraine, which is hardly possible no least because Russia stole the last seaworthy Ukrainian submarine in 2014. The campaign has suffered from the recent dismantling of a large Russian network by Meta that was spoofing Western media on its platforms in precisely this kind of operation; CYFIRMA reported on the news earlier this week.
The experts are now warning of the possibility of further Russian attacks on European infrastructure, be it other pipelines and gas terminals and installations, undersea internet cables, or the power grid and energy industry as prime targets. Russian cyberattacks on Western critical national infrastructure have not reached anywhere near their maximum potential and the aforementioned industries should be at maximum vigilance in the coming months.
The largest anti-government protests in Iran since 2009 continue and are gathering momentum, having spread to as many as 80 municipalities. The protest began after the death of a young woman Mahsa Amini (22) who died in the custody of the morality police who detained her on charges of violating Islamic headwear regulations. Many of the protests have been led by women, and some smaller cities in Kurdish provinces are allegedly outside of effective government control with the military on the way to crack down on the protesters.
The Iranian government is escalating a crackdown on the protest and police are using live fire to contain the crowds, reportedly resulting in the deaths of dozens of people. The government has also arrested numerous prominent activists and journalists while imposing severe restrictions on internet connectivity. The authorities orchestrated outages of mobile networks in entire regions and disrupted social media apps like WhatsApp and Instagram, two western communication tools not banned in Iran before the protests erupted.
Anonymous hacktivist collective has been targeting Iranian government websites, mainly in the form of DDoS attacks causing the unavailability of some sites. In a gesture intended to offer support to Iran’s dissidents, the US Treasury Department relaxed sanctions in ways intending to ease access of Iranian people to the internet and Western media. Based on previous behavior analysts predict that this is likely to lead to a surge in Iranian cyber-attacks on the US and American allies in the region, mainly on the media, financial, and energy industries but not limited to those.
Researchers have recently discovered 75 mobile apps on Google Play and an additional 10 on Apple App Store used to carry out ad fraud. Collectively reaching13 million installations, these apps presented users with both visible and hidden advertisements, in addition to impersonating other legitimate apps to generate more revenue.
The researchers have dubbed this fraud campaign “Scylla” and believe that this is the third wave of an operation first observed in August 2019 and dubbed “Poseidon”. The second wave was called ‘Charybdis’ and observed at the end of 2020.
The findings have been communicated to Google and Apple and the apps have been removed from their respective app stores. Some of the most downloaded apps are listed below:
Pebble Templates, was found vulnerable to a critical severity bug that could allow attackers to bypass its security mechanisms and conduct command injection attacks against host servers. Similar to the Python Jinja Template Engine, the Pebble Templates is a Java templating engine inspired by Twig. It offers ease of use, internationalization capabilities, and security features including auto-escaping and a block-list method access validator to prevent command execution attacks.
However, researchers have found that by using carefully crafted code and template files Pebble’s command execution defense can be bypassed. In a proof of concept (PoC), the researcher using a Pebble template loaded an XML file from the web and instantiated a Java class that supports running system commands on the server.