16 September 2022

Cyber security week in review: September 16, 2022

Cyber security week in review: September 16, 2022

Uber investigates cybersecurity incident after a report of a breach

Uber technologies is investigating a cybersecurity incident after a report that its network was breached. The attack is said to have forced the company to shut down its internal communications and engineering systems as it determined the extent of the breach. It sounds like the attacker gained access to an employee’s Slack account, and then some of Uber’s other internal systems.

Moreover, the screenshots (unverified) of Uber’s AWS instance, HackerOne administration panel and other critical IT systems posted by the hacker suggest that Uber may have been completely compromised. The company said it is working with law enforcement to investigate the breach and will provide additional details as they become available.

Google Chrome 105 update addresses a slew of high-risk flaws

Google has released a Chrome 105 update that fixes more than ten vulnerabilities, including seven high-risk security issues all of which could be exploited for remote code execution.

Microsoft’s September 2022 Patch Tuesday fixes over 60 flaws, including a zero-day

Microsoft has released its monthly batch of security updates to address more than 60 security vulnerabilities in a wide range of its software products, including a zero-day flaw actively exploited in hacker attacks.

Tracked as CVE-2022-37969, the zero-day bug has been described as privilege escalation flaw affecting the Windows Common Log File System (CLFS) Driver, which could be used by a local attacker to execute arbitrary code with SYSTEM privileges. The flaw affects Windows versions starting from Windows 7 through 11 21H2, and Windows Server 2012 - 2022 20H2

Trend Micro patches an Apex One zero-day flaw exploited in the wild

Antivirus software provider Trend Micro has released patches to address multiple vulnerabilities in its Apex One and Apex One SaaS endpoint security solutions, including a zero-day issue said to have been exploited by malicious actors.

The zero-day in question is tracked as CVE-2022-40139 and allows a remote user to compromise the vulnerable system. The vulnerability exists due to improper input validation within the rollback functionality. By exploiting the vulnerability, a remote authenticated user with access to the administrative console can force the agent into downloading unverified rollback components and compromise the affected system.

Apple rolls out iOS, macOS security updates to fix actively exploited zero day

Apple has released security updates for its iOS and macOS operating systems to address a high-severity vulnerability the vendor says “may have been actively exploited.”

Tracked as CVE-2022-32917 the flaw may allow a local application to escalate privileges on the system. The vulnerability exists due to a boundary error within the OS kernel. A local application can trigger memory corruption and execute arbitrary code with elevated privileges.

The bug has been fixed in iOS 15.7 and iPadOS 15.7, macOS Monterey 12.6, and macOS Big Sur 11.7.

New record-breaking DDoS attack thwarted in Europe

Akamai said it mitigated a record-breaking distributed denial-of-service (DDoS) attacks on September 12 aimed at one of its customers in Eastern Europe. The attacks reached unprecedented levels when the “garbage” traffic sent to the target network peaked at 704.8 Mpps, nearly 7% higher than the previous record-setting DDoS attack recorded in July 2022 (659.6 Mpps).

The US sanctions ten Iranian hackers linked to ransomware attacks

The Treasury Department's Office of Foreign Assets Control (OFAC) has sanctioned ten Iranians and two entities affiliated with Iran's Islamic Revolutionary Guard Corps (IRGC) said to have been involved in malicious cyber acts, including ransomware attacks.

According to OFAC, these IRGC-affiliated threat actors have been hacking into computer networks in the US and other countries since at least 2020. Some of the group’s malicious activity overlaps with that of Iran-linked state-sponsored APTs known as APT35, Charming Kitten, Phosphorus, DEV-0270, Tunnel Vision, and Nemesis Kitten.

Three of the sanctioned Iranians were charged by the US department of Justice for their part in cyberattacks on hundreds of organizations across the US, UK, Israel, and Iran, including small businesses, government agencies, non-profit organizations, and entities in multiple critical infrastructure sectors, including health care centers, transportation services and utility providers.

Also, cybersecurity agencies in the United States, Canada, UK, and Australia released a joint security advisory detailing the threat group’s malicious activities.

Threat actors adopt new approach to ransomware encryption

Ransomware actors are increasingly using a new method called intermittent encryption, or partial encryption of victims’ files in their ransomware attacks to evade detection and encrypt victims’ files faster. Lockbit was the first ransomware operation who utilized intermittent encryption (in mid-2021). Qyick, Agenda, BlackCat (ALPHV), PLAY, and Black Basta ransomware were also observed using this method.

GhostSec hacktivist group claims to have breached 55 Berghof PLCs across Israel

A hacktivist group called “GhostSec” claimed that they have successfully compromised 55 Berghof PLC devices used by organizations across Israel.

As proof of their claims the group posted a video demonstrating a successful log-in to the PLC’s admin panel, an image of an HMI screen showing its current state and control of the PLC process, and another image showing that the PLC had been stopped. The hacktivists also published the dumped data from the breached PLCs. The researchers believe, however, that GhostSec probably didn’t access or manipulate the HMI and was not exploiting the Modbus interface, which indicates an unfamiliarity with the OT domain.

Yanluowang ransomware gang leaks Cisco’s corporate data stolen in May attack

Cisco Systems, an American manufacturer of networking hardware, software, and telecommunications equipment, has confirmed that the data published on the dark web over the weekend by the Yanluowang ransomware gang was stolen during the May ransomware attack. The company added that the leak did not change its previous assessment that the incident had no impact on the company’s business, including its products or services, sensitive customer data or sensitive employee information, intellectual property, or supply chain operations.

The Yanluowang ransomware group said they had stolen 55GB of data from Cisco, including classified documents, technical schematics, and source code, but didn’t provide proof of their claims.

Lorenz ransomware gang abuses Mitel VoIP appliance bug for initial access

The Lorenz ransomware gang has been observed exploiting a vulnerability in a popular VoIP appliance to gain initial access to the corporate network of an unnamed victim.

The threat actors targeted the Mitel Service Appliance component of MiVoice Connect, via remote code execution (RCE) vulnerability CVE-2022-29499, to obtain a reverse shell. The attackers then used the Chisel TCP tunnelling tool to pivot into the environment.

Hackers compromised Magento vendor FishPig to add malware

Hackers have compromised the infrastructure of FishPig, a company which provides Magento-WordPress integration software with more than 200,000 downloads, and infected multiple extensions.

The threat actors commandeered FishPig's distribution server on or before August 19 and added malicious code designed to install the Rekoobe remote access trojan to the vendor's software to gain access to websites using the products in what appears to be a supply-chain attack. The malware was discovered in the Fishpig Magento Security Suite and several other Fishpig extensions for Magento 2 and it is possible that all paid FishPig extensions have been compromised. It appears that the attack had not impacted free extensions hosted on GitHub.

FishPig has acknowledged the incident in a security announcement and said that the malicious code has since been removed.

Cybercriminal group TeamTNT exposes credentials to their attacker-controlled DockerHub accounts

The cybercriminal group TeamTNT has been observed leaking credentials to their attacker-controlled DockerHub accounts. These DockerHub accounts were actively used to deploy malicious images containing rootkits, Docker escape kits, XMRig Monero miners, credential stealers, Kinsing malware, and Kubernetes exploit kits. The researchers said they identified a total of 30 accounts that were compromised, the credentials for which were being leaked. The registries for these were DockerHub and Alibaba Cloud Container Registry.

Russia-linked Gamaredon APT targets Ukrainian government with a new infostealer

A Russia-linked state-backed hacker group known as Gamaredon is targeting entities in Ukraine with information stealing malware in a new campaign part of a cyber-espionage operation that has been going on since August 2022.

The campaign involves phishing emails purporting to contain information related to the ongoing Russian invasion of Ukraine that deliver Microsoft Office documents with malicious VBS macros, which downloads and opens RAR archives containing LNK files. These LNK files, in turn, download and run the next-stage payload on the infected endpoint. Cisco’s Talos says that they have not observed this particular malware in the previous Gamaredon campaigns. The new malware may be a component of the group’s “Giddome” backdoor family, the researchers said, but they were not able to confirm that so far.

Over 280,000 WordPress websites targeted through a zero-day in the WPGateway plugin

Cybercriminals are actively exploiting a zero-day vulnerability (CVE-2022-3180) in the WPGateway plugin to take over WordPress sites. The flaw allows a remote non-authenticated attacker can send a specially crafted request to the affected plugin and add an administrative user account into your WordPress installation.

In the past 30 days security researchers observed over 4.6 million attacks targeting CVE-2022-3180 against more than 280,000 sites.

Webworm hackers modify old RATs to evade detection

Symantec researchers released a report detailing current cyber activities of a China-linked threat group they dubbed “Webworm.” Active since at least 2017, the group targets government agencies and companies involved in IT services, aerospace, and electric power industries located in Russia, Georgia, Mongolia, and a number of other Asian countries.

Symantec says the group has developed custom versions of already existing remote access trojans (RATs) including Trochilus, Gh0st RAT, and 9002 RAT to fly under radar, some of which are said to be still in development or tasting phases.

Iranian hackers TA453 use ‘multi-persona’ technique to add credibility to their phishing attacks

An Iran-linked hacker group tracked by security researchers as TA453 has adopted a new phishing technique to lure victims into their trap. The technique informally called “Multi-Persona Impersonation” involves utilizing a variety of personalities and email accounts to convince targets that they are engaging in the legitimate dialog.

As the researchers noted, the technique is intriguing because it requires more resources be used per target—potentially burning more personas—and a coordinated approach among the various personalities in use by TA453.

The SideWalk backdoor gets Linux variant

ESET shared some details on a Linux variant of the SideWalk backdoor, one of the multiple custom implants used by the SparklingGoblin APT group, which was used in a cyberattack on an unnamed university in Hong Kong in February 2021. The technical report describes SideWalk Linux, its victimology, and its similarities with the originally discovered SideWalk backdoor.

Back to the list

Latest Posts

Cyber Security Week in Review: September 22, 2023

Cyber Security Week in Review: September 22, 2023

The world in brief: Apple, Trend Micro patch zero-days, Microsoft leaks 38 TB of confidential data, and more.
22 September 2023
Fake WinRAR exploit drops VenomRAT

Fake WinRAR exploit drops VenomRAT

The fake code was based on a publicly available PoC script that exploited an SQL injection vulnerability in GeoServer.
21 September 2023
Gold Melody IAB exploits flaws in Oracle, Apache, Sitecore software to hack into corporate networks

Gold Melody IAB exploits flaws in Oracle, Apache, Sitecore software to hack into corporate networks

The group relies on web shells, built-in operating system utilities, and proprietary RATs.
21 September 2023