17 June 2022

Cyber security week in review: June 17, 2022

Cyber security week in review: June 17, 2022

Microsoft’s June 2022 Patch Tuesday addresses actively exploited Follina flaw

Microsoft released June 2022 Patch Tuesday security updates that address dozens security vulnerabilities in its software, including “Follina,” an RCE flaw (CVE-2022-30190) in the Microsoft Windows Support Diagnostic Tool (MSDT) that has been actively exploited by multiple threat actors, including attacks targeting state bodies in Europe and the US, as well government and media organizations in Ukraine.

Chinese Gallium APT observed using the previously undocumented PingPull RAT

Palo Alto’s Unit 42 discovered a new malicious campaign targeting telecommunications providers across the globe conducted by Chinese state-sponsored hacking group known as “Gallium”. The campaign deployed a previously unreported remote access trojan (RAT) dubbed “PingPul,” which leverages three protocols (ICMP, HTTP(S) and raw TCP) to communicate with its command-and-control servers.

PingPull is a Visual C++ based trojan able to run commands and access a reverse shell on a compromised system. In addition to the new RAT, Gallium was observed deploying a modified version of the China Chopper web shell to establish persistence on the compromised machine.

Iranian hackers targeted former Israeli officials, US ambassador

The Iranian-affiliated Phosphorous APT group has been running a high-profile spear-phishing operation targeting high-level officials in Israel, including former Foreign Minister and Deputy Prime Minister of Israel Tzipi Livni, an unnamed former Israeli military official and a former US ambassador to Israel. The goal of the operation was to obtain personal information, passport scans, and access to email accounts. Attackers targeted accounts by using common hacking techniques such as email phishing and social engineering.

Iranian cyber spies target energy sector with new a DNS backdoor

The Lyceum cyber espionage group, believed to have ties to the Iranian government, has been targeting companies in the energy and telecommunication sectors using a new DNS backdoor based on the .NET platform.

Using a customized version of the DIG.net open-source tool the backdoor carries out "DNS hijacking" attacks – DNS query manipulation to redirect users to malicious clones of legitimate sites – executes commands, drops payloads, and steals data.

BlackCat ransomware affiliates use unpatched Exchange servers to sneak into networks

The BlackCat RaaS affiliates are taking advantage of vulnerable Microsoft Exchange servers to gain access to corporate networks. To gain initial access to a targeted system threat actors typically use remote desktop applications and compromised credentials, but, according to Microsoft, a BlackCat affiliate was observed leveraging the ProxyLogon Exchange server vulnerabilities as an entry vector.

Once breaching the target network via ProxyLogon, the threat actor executed a series of commands to collect information about operating system and domain computers, domain controllers, and domain admins in the environment. The attackers then used account credentials found in one of the folders to launch a further attack.

More recently, the BlackCat group launched a dedicated website that allows the customers and employees of their victim to check if their data was stolen in an attack.

Recently patched Atlassian Confluence bug exploited to install ransomware, cryptominers

Ransomware gangs are exploiting a recently patched RCE vulnerability (CVE-2022-26134) in Atlassian Confluence Server and Data Center software to gain a foothold in enterprise networks through the unpatched servers. According to security researchers, AvosLocker ransomware gang has begun to target vulnerable internet-exposed Atlassian Confluence servers “to infect multiple victims on a mass scale systematically.”

The threat actor has already infected multiple organizations across the globe, including the United States, Europe, and Australia.

A ransomware group known as Cerber2021 (CerberImposter) has also been observed actively targeting unpatched Confluence servers.

HelloXD ransomware installs a backdoor to monitor breached systems

Cybersecurity researchers discovered a new variant of the HelloXD ransomware that features stringer encryption and installs an open-source backdoor on compromised systems to maintain an additional foothold.

The discovered HelloXD sample deployed MicroBackdoor, an open-source backdoor that allowed an attacker to browse the file system, upload and download files, execute commands, and remove itself from the system. The researchers believe that the threat actor used the backdoor to monitor the progress of the ransomware on the compromised system.

New Hertzbleed side-channel attack allows to extract cryptographic keys from remote servers

A group of security researchers detailed a security issue impacting modern Intel and AMD CPUs. The weakness, dubbed “Hertzbleed,” could allow an attacker to steal cryptographic keys from remote servers via a timing side-channel attack.

The issue impacts all Intel processors (CVE-2022-24436) and several AMD products (CVE-2022-23823), including desktop, mobile, Chromebook, and server CPUs. Currently, the both vendors don’t intend to address Hertzbleed.

Blue Mockingbird hackers use three-year-old Telerik flaws to deploy Cobalt Strike

A hacker group, known as Blue Mockingbird, is exploiting a three-year-old vulnerability in the Telerik UI web application framework to take over web servers, install Cobalt Strike beacons and deploy cryptomining malware. The said flaw (CVE-2019-18935) is a high-risk deserialization flaw that can lead to remote code execution.

In the observed campaign CVE-2019-18935 was exploited in conjunction with two older Telerik UI bugs (CVE-2017-11317 and CVE-2017-11357) in order to obtain the encryption keys that protect Telerik UI’s serialization on the victim’s system and deploy a Cobalt Strike beacon.

A small botnet launched a record-breaking 26M RPS DDoS attack

CloudFlare said it thwarted a 26 million request per second distributed denial-of-service (DDoS) attack, which makes it the largest HTTPS DDoS attack recorded to date. The source of the attack was rather tiny yet powerful botnet of 5,067 devices (possibly comprised of hijacked virtual machines and servers), each capable of generating roughly 5,200 rps when peaking.

Within less than 30 seconds, this botnet generated more than 212 million HTTPS requests from over 1,500 networks in 121 countries, including Indonesia, the United States, Brazil and Russia. About 3% of the attack came through Tor nodes.

A security issue in the Travis CI API exposes thousands of secret user access tokens

Travis CI free tier users are at risk due to an unpatched data disclosure issue in the Travis CI API that exposes user data containing authentication tokens that could give access to developers’ accounts on GitHub, Amazon Web Services, and Docker Hub.

The researchers found that there are more than 770 million logs from free-tier Travis CI users accessible via API calls, from which attackers can extract tokens, secrets, and other credentials and use them to carry out cyberattacks.

SeaFlower hackers distribute Android and iOS cryptowallets with a backdoor

Security researchers warned of a widespread malicious campaign targeting web3 wallet users. Dubbed “SeaFlower,” the campaign is spreading backdoored versions of iOS and Android Web3 wallets that steal users’ funds.

First spotted in March 2022, the campaign appears to be the work of “a Chinese-speaking entity yet to be uncovered.” The threat actor targeted the iOS and Android versions of applications such as Coinbase Wallet, MetaMask Wallet, TokenPocket, and imToken. The fake versions were distributed via clones of the apps’ legitimate websites. To lure potential victims to the malicious sites the hackers used search engine poisoning, with Baidu and other Chinese search engines being targeted.

Chinese hackers exploited Sophos Firewall zero-day weeks before patch

A sophisticated Chinese APT, tracked as “DriftingCloud,” has been exploiting a Sophos firewall authentication bypass vulnerability vulnerability (CVE-2022-1040) to install backdoors and launch man-in-the-middle attacks. Sophos addressed the flaw in March 2022, however, it was found that DriftingCloud started exploiting the issue a little over three weeks before a patch was released.

After the attackers gained access to Sophos Firewall they performed a man-in-the-middle (MitM) attack, thus gaining access to the victim’s web server. The adversary then deployed three open source malware families (PupyRAT, Pantegana, and Sliver) on the web server.

Interpol arrests thousands of scammers in a global anti-fraud operation

A large-scale police investigation into social engineering fraud involving law enforcement agencies from 76 countries has resulted in the seizure of $50 million in illicit funds, and arrest of 2,000 alleged fraudsters. In the course of the investigation, the police identified 3,000 different suspects, and froze some 4,000 bank accounts.

The operation, codenamed First Light 2022, lasted two months, between March and May 2022, and was focused on social engineering schemes involving telephone deception, romance scams, e-mail deception, and related financial crimes.

International cyber operation disrupts the RSOCKS botnet run by Russian cybercriminals

Law enforcement agencies in the US, UK, Germany, and the Netherlands dismantled the RSOCKS botnet operated by Russian cybercriminals, which compromised millions of devices worldwide. The botnet initially targeted Internet of Things devices such as clocks, routers, and streaming devices, but later expanded to include Android devices and conventional computers.

The RSOCKS botnet offered its clients access to IP addresses assigned to devices that had been hacked. The cost for access to a pool of RSOCKS proxies ranged from $30 per day for access to 2,000 proxies to $200 per day for access to 90,000 proxies.

According to the US Department of Justice, several large public and private entities have been victims of the RSOCKS botnet, including a university, a hotel, a television studio, and an electronics manufacturer, as well as home businesses and individuals.

Back to the list

Latest Posts

Researchers uncovered undetectable malware linked to Russia's APT

Researchers uncovered undetectable malware linked to Russia's APT

According to a recent report published by Palo Alto Networks, new piece of malware currently evades 56 antivirus products.  
6 July 2022
New ransomware operation RedAlert puts victims on a "board of shame"

New ransomware operation RedAlert puts victims on a "board of shame"

At this point, only one victim is listed on the RedAlert’s data leak website, indicating that the development is very new.
6 July 2022
Microsoft silently issued a fix for ‘ShadowCoerce’ NTLM Relay attack

Microsoft silently issued a fix for ‘ShadowCoerce’ NTLM Relay attack

Despite patching the flaw, Microsoft hasn’t provided any details about it and assigned a CVE ID yet.
6 July 2022