WyzGuys Tech Talk

A quick Saturday digest of cybersecurity news articles from other sources.

ZuoRAT Hijacks SOHO Routers To Silently Stalk Networks

Executive Summary

The rapid shift to remote work in spring of 2020 presented a fresh opportunity for threat actors to subvert traditional defense-in-depth protections by targeting the weakest points of the new network perimeter — devices which are routinely purchased by consumers but rarely monitored or patched — small office/home office (SOHO) routers. Actors can leverage SOHO router access to maintain a low-detection presence on the target network and exploit sensitive information transiting the LAN. Black Lotus Labs, the threat intelligence arm of Lumen Technologies, is currently tracking elements of what appears to be a sophisticated campaign leveraging infected SOHO routers to target predominantly North American and European networks of interest. We identified a multistage remote access trojan (RAT) developed for SOHO devices that grants the actor the ability to pivot into the local network and gain access to additional systems on the LAN by hijacking network communications to maintain an undetected foothold. While we currently have a narrow view of the full extent of the actor’s capabilities due to the limited state of SOHO device monitoring in general, using proprietary telemetry from the Lumen global IP backbone, we have enumerated some of the command-and-control (C2) infrastructure associated with this activity and identified some of the targets. We assess with high confidence the elements we are tracking are part of a broader campaign.  More,,,

CISA Releases Guidance on Switching to Modern Auth in Exchange Online before October 1

Original release date: June 28, 2022

CISA has released guidance on switching from Basic Authentication (“Basic Auth”) in Microsoft Exchange Online to Modern Authentication (“Modern Auth”) before Microsoft begins permanently disabling Basic Auth on October 1, 2022. Basic Auth is a legacy authentication method that does not support multifactor authentication (MFA), which is a requirement for Federal Civilian Executive Branch (FCEB) agencies per Executive Order 14028, “Improving the Nation’s Cybersecurity”. Although this guidance is tailored to FCEB agencies, CISA urges all organizations to switch to Modern Auth before October 1 and enable MFA.

CISA recommends all organizations review Switch to Modern Authentication in Exchange Online Before Basic Authentication Deprecation and prioritize moving to Modern Auth. For more information, CISA recommends reviewing Microsoft’s Deprecation of Basic Authentication in Exchange Online documentation and the associated Exchange Team blog post, Basic Authentication Deprecation in Exchange Online.

The FBI Warns That LinkedIn Fraudsters Are Now a Significant Threat

The U.S. FBI has warned that scammers on LinkedIn are a “significant threat,” CNBC reports. Sean Ragan, the FBI’s special agent in charge of the San Fran and Sacramento field offices, told CNBC in an interview that cryptocurrency scams have been particularly widespread recently.

“This type of fraudulent activity is significant, and there are many potential victims, and there are many past and current victims,” Ragan said. “So the criminals, that’s how they make money, that’s what they focus their time and attention on,” Ragan said.

“And they are always thinking about different ways to victimize people, victimize companies. And they spend their time doing their homework, defining their goals and their strategies, and their tools and tactics that they use.”   More…

Crypto crash threatens North Korea’s stolen funds as it ramps up weapons tests

Bob says: Don’t you just love it when bad guys get the shaft?

SEOUL, June 29 (Reuters) – The nosedive in cryptocurrency markets has wiped out millions of dollars in funds stolen by North Korean hackers, four digital investigators say, threatening a key source of funding for the sanctions-stricken country and its weapons programs.

North Korea has poured resources into stealing cryptocurrencies in recent years, making it a potent hacking threat and leading to one of the largest cryptocurrency heists on record in March, in which almost $615 million was stolen, according to the U.S. Treasury. read more

Crypto that N Korea stole from 2017-2021 to bypass sanctions has decreased in value from $170 million to $65 million this yr, and a 2021 heist, which had been worth tens of millions, has lost 80% of its value and is now worth less than $10 million

Ecuador’s Attempt to Resettle Edward Snowden

Someone hacked the Ecuadorian embassy in Moscow and found a document related to Ecuador’s 2013 efforts to bring Edward Snowden there. If you remember, Snowden was traveling from Hong Kong to somewhere when the US revoked his passport, stranding him in Russia. In the document, Ecuador asks Russia to provide Snowden with safe passage to come to Ecuador.

It’s hard to believe this all happened almost ten years ago.

Securing Port 443: A Gateway to a New Universe

Hi, this is Mark Maunder, founder, and CEO of Wordfence. A few minutes ago I published a post on the Wordfence blog discussing the philosophical differences between securing port 443 – the secure HTTP port that most of our web applications listen on – compared to securing other ports on your network.

If you’re in operations – which is where I started my career – or if you work in a security operations center, or if you’re a web developer, I think you may find it an interesting new lens to use when examining the security of your network.

I hope you enjoy the post and I’ll be keeping an eye on the comments in case anyone wants to join the discussion.

You can find the full post on the official Wordfence blog…

#StopRansomware: MedusaLocker

Original release date: June 30, 2022

CISA, the Federal Bureau of Investigation (FBI), the Department of the Treasury (Treasury), and the Financial Crimes Enforcement Network (FinCEN) have released a joint Cybersecurity Advisory (CSA), #StopRansomware: MedusaLocker, to provide information on MedusaLocker ransomware. MedusaLocker actors target vulnerabilities in Remote Desktop Protocol (RDP) to access victims’ networks. Note: this joint #StopRansomware CSA is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors.

CISA, FBI, Treasury and FinCEN encourage network defenders to examine their current cybersecurity posture and apply the recommended mitigations in this joint CSA, which include:

• Prioritize remediating known exploited vulnerabilities.
• Train users to recognize and report phishing attempts.
• Enable and enforce multifactor authentication.

See #StopRansomware: MedusaLocker to learn about MedusaLocker actors’ tactics, techniques, and procedures and the recommended mitigations. Additionally, review the U.S. government resource StopRansomware.gov for more guidance on ransomware protection, detection, and response.

FCC commissioner calls on Apple and Google to remove TikTok from their app stores

For years, US officials have expressed concerns that Chinese government access to US users’ data or communications could put national security at risk.  A member of the Federal Communications Commission is renewing calls for Apple and Google to remove TikTok from their app stores, citing national security concerns surrounding TikTok’s Chinese-based parent company, ByteDance.

“Missing Cryptoqueen” hits the FBI’s Ten Most Wanted list

The “Missing Cryptoqueen” makes the American Top Ten… but not in a good way.

According to the FBI, Ruja Ignatova, widely known as the Cryptoqueen, and famously dubbed the “Missing Cryptoqueen” by the makers of a popular BBC podcast series:

…is wanted for her alleged participation in a large-scale fraud scheme. Beginning in approximately 2014, Ignatova and others are alleged to have defrauded billions of dollars from investors all over the world. Ignatova was the founder of OneCoin Ltd., a Bulgaria-based company that marketed a purported cryptocurrency. In order to execute the scheme, Ignatova allegedly made false statements and representations to individuals in order to solicit investments in OneCoin. She allegedly instructed victims to transmit investment funds to OneCoin accounts in order to purchase OneCoin packages, causing victims to send wire transfers representing these investments. Throughout the scheme, OneCoin is believed to have defrauded victims out of more than $4 billion.