U.S. Marshals service breach and TPM 2.0 security flaws

March 6, 2023 by Dan Virgillito

Hackers steal sensitive data from U.S. Marshals Service systems, TPM 2.0 security flaws could allow cybercriminals to steal cryptographic keys and the MQsTTang custom backdoor. Catch all this and more in this week’s edition of Cybersecurity Weekly.

1. Hackers use ransomware against U.S. Marshals Service, steal law enforcement data

A U.S. Marshals Service spokesperson confirmed that a ransomware attack allowed hackers to steal data from USMS’s systems. The stolen data contained sensitive law enforcement info, including administrative and legal returns, and personal data of subjects of investigations, third parties, and some USMS employees. The system has since been disconnected, and the Department of Justice is conducting a forensic investigation, categorizing it as a “major incident.” Notably, this is the second cyberattack to hit a U.S. federal law enforcement agency in February.

Read more »

2. New flaws in TPM 2.0 Library could impact billions of IoT devices

Cybersecurity research firm Quarks Lab has uncovered two vulnerabilities in the Trusted Platform Module (TPM) 2.0 that could lead to sensitive data leakage or escalation of privileges. The flaws discovered in November impact revisions 1.59, 1.38, and 1.16 of the TPM’s reference implementation code. These vulnerabilities occur when handling malicious TPM 2.0 commands with encrypted parameters. TCG, the publisher of the TPM 2.0 Library documentation, has updated its Errata for TPM 2.0 Library Specification with guidelines on how to fix the issues before their public disclosure.

Read more »

3. Chinese Mustang Panda group using new MQsTTang backdoor against European entities

Chinese cyber espionage group Mustang Panda was recently seen using a new backdoor named MQsTTang. This malware was discovered as part of a social engineering campaign aimed at entities in Europe and Asia since January 2023. ESET’s research reveals that the backdoor is a barebones single-stage implant that allows the execution of arbitrary commands received from a remote server via an IoT messaging protocol called MQTT for command-and-control communications. The attack starts with spearphishing and decoy file names related to diplomatic themes. ESET has also noted the use of previously undocumented tools distributed through an FTP server linked to the threat actor.

Read more »

4. Hackers could exfiltrate data from Google Cloud without being detected

Mitiga researchers have discovered that Google Cloud Platform (GCP) storage buckets may not be as secure as previously thought. Attackers can potentially exfiltrate company data from them without leaving forensic traces of malicious activity in GCP’s storage access logs. This follows recent concerns raised by researchers regarding Google Cloud Storage’s potential security issues, including vulnerabilities in third-party storage solutions and the need for companies to understand and secure their cloud storage infrastructure.

Read more »

5. Royal ransomware growth poses widespread risks, warns U.S. advisories

A joint advisory by CISA and FBI warns of rising Royal ransomware attacks targeting critical infrastructure, including healthcare, communications, and education. The agencies shared indicators of compromise and TTPs to detect and block Royal ransomware payloads on networks. Enterprises should prioritize the remediation of known vulnerabilities and train employees to identify and report phishing attempts. Multi-factor authentication should be enforced to strengthen cybersecurity defenses. Victims have been urged to report Royal ransomware incidents to the FBI or CISA and not to pay any ransom. Royal ransomware operators demand hefty ransom payments and deceive corporate victims with callback phishing attacks.

Read more »

Posted: March 6, 2023
Dan Virgillito
View Profile

Dan Virgillito is a blogger and content strategist with experience in cyber security, social media and tech news. Visit his website or say hi on Twitter.