23 September 2022

Cyber security week in review: September 23, 2022

Cyber security week in review: September 23, 2022

Cryptomarket maker Wintermute has lost $160 million in DeFi hack

One of the leading crypto market makers and liquidity providers for both centralized and decentralized exchanges Wintermute has suffered a $160 million hack related to its decentralized finance (DeFi) operation, becoming the latest victim in a long list of crypto companies that have suffered hacks over the past few months.

Wintermute's CEO Evgeny Gaevoy said that the company’s lending and over-the-counter (OTC) services have not been impacted in the incident. He also said that Wintermute remains solvent with “twice over that amount in equity left,” adding that lenders who want to recall the loan can do that.

Wintermute did not share additional details about the attack. Some reports suggest that the intruders may have exploited a recently disclosed vulnerability in Profanity, an Ethereum vanity address generator tool.

Record DDoS attack with 25.3 billion requests used HTTP/2 multiplexing

Cybersecurity company Imperva said it stopped a distributed denial-of-service (DDoS) attack with a total of over 25.3 billion requests on June 27, 2022.

The attack targeted an unnamed Chinese telecommunications company and lasted over four hours. It came from a massive botnet that comprised nearly 170,000 IP addresses including routers, security cameras and compromised servers located in over 180 countries, with most of them based in the US, Indonesia, and Brazil.

Malicious actors continue to abuse Google Tag Manager tool to install e-skimmers

Threat actors are taking advantage of Google’s Tag Manager (GTM) containers to Magecart e-skimming attacks that plant malicious e-skimmers on e-commerce sites to steal payment card data and personally identifiable information of visitors. The researchers identified a total of 569 infected domains, 314 from which were infected by a GTM-based e-skimmer variant, while the remaining 255 had infections that exfiltrated stolen data to malicious domains associated with GTM abuse.

Most of the infected websites are based in the US (66%), followed by Canada, the UK, Argentina, India, Italy, Australia, Brazil, Greece, Indonesia and others.

Unpatched 15-year-old Python vulnerability puts at risk over 350,000 open-source projects

An old, unpatched bug in the Python programming language potentially affects roughly 350,000 open-source projects and several closed-source projects, inadvertently creating a vast software supply chain attack surface.

Tracked as CVE-2007-4559, the vulnerability is a path traversal issue that resides in the Python tarfile module which is a default module in any project using Python. The flaw is extremely easy to exploit, the researchers say. By uploading a malicious file generated with two or three lines of simple code an attacker can achieve arbitrary code execution, or take over target device.

Free decryptor released for LockerGoga ransomware victims

Romanian cybersecurity firm Bitdefender together with Europol, the NoMoreRansom Project, and the Swiss police released a free decryptor to help victims of the LockerGoga ransomware to recover their files. The LockerGoga ransomware family first came to light in January 2019 after successful attacks against several companies in the US and Norway.

Uber blames Lapsus$-linked hackers for the recent breach

Uber has posted an update on the recent breach, in which it said that a hacker affiliated with Lapsus$ was responsible for the hack. The intruder gained access to its network through a compromised account of an Uber EXT contractor, and then accessed several other employee accounts and gained elevated permissions to a number of tools, including G-Suite and Slack. The company says it found no evidence that the attacker accessed any user accounts or made changes to Uber’s codebase.

Rockstar Games confirms “Grand Theft Auto VI” early footage leak

Video game publisher Rockstar Games has confirmed it suffered a network intrusion, which resulted in the leak of confidential information, including the early development footage from the next installment in its blockbuster “Grand Theft Auto” franchise. The company said it doesn’t anticipate any disruption to its live game services nor any long-term effect on the development of ongoing projects.

Just a few days after the RockStar hack, video game publisher 2K Games, another Take-Two Interactive’s subsidiary, revealed that its help desk platform was compromised and used to spread malware via fake support tickets.

Russia-linked hackers masquerade as telecom providers in Ukraine to deliver malware

A Russia-linked cyber actor has been posing as telecommunication providers operating in Ukraine to target entities in the country with the Colibri Loader dropper and Warzone RAT. Tracked as UAC-0113, this threat actor has been linked to the Russian advanced persistent threat (APT) group Sandworm believed to be a unit of the Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation (the GRU).

To lure victims to fake domains the threat actor used phishing emails ostensibly sent by telecom providers. The malicious sites used Ukrainian language and featured topics related to military operations, administration notices, and reports.

Australia’s second-largest telco Optus suffers a security breach

Australian telecommunications firm Optus, a unit of Singapore Telecommunications said it was hit with a cyberattack that exposed customers’ personal information, including names, dates of birth, phone numbers, email addresses, and, for a subset of customers, addresses, ID document numbers such as driver's license or passport numbers. Payment detail and account passwords have not been compromised, the company said. The technical details of the hack have not yet been disclosed.

New LockBit ransomware builder leaked online

A cyber actor has leaked online the newest LockBit 3.0 ransomware builder claiming they had hacked the LockBit ransomware gang’s servers and were able to obtain the builder and the keys generator. Some reports suggest that the leak may have been a revenge gesture of a disgruntled programmer employed by LockBit. A technical analysis of the LockBit builder can be found here.

Darkside and BlackMatter successor continues to evolve its tactics

Symantec Threat Hunter Team has published a report detailing the latest evolutions of Coreid (aka FIN7, Carbon Spider), a ransomware group behind Darkside and BlackMatter ransomware families and their successor Noberus. In the recent months, the group has been observed using new tactics, tools, and procedures (TTPs), including a new version of the Exmatter data exfiltration tool, and the use of Eamfo, information-stealing malware that is designed to steal credentials stored by Veeam backup software.

More than 39K unauthenticated Redis servers exposed on the internet, half of them show signs of attempted compromise

Security researchers said they found 39,405 unauthenticated Redis services out of 350,675 total Redis services on the public internet. Nearly half of these services are showing signs of an attempted compromise. Most of the exposed servers are located in China, the US, France, Germany, the Netherlands, Ireland, Singapore, Hong Kong.

Atlassian Confluence RCE flaw abused to deploy cryptominers, other malware

Hackers are actively exploiting a recently patched remote code execution (RCE) flaw in Atlassian Confluence Server to deploy cryptomining malware on unpatched installations, security researchers have warned.

The flaw (CVE-2022-26134) allows a remote non-authenticated attacker send a specially crafted request to the Confluence Server and execute arbitrary code on the system. In June, a proof-of-concept (PoC) code was released for this vulnerability.

A phishing campaign targets GitHub accounts

GitHub's security team has warned users about a phishing campaign that has been active since at least September 16. The campaign impersonates the CircleCI service to harvest credentials and two-factor codes of owners of GitHub accounts. The attack involves malicious emails containing a link redirects users to phishing pages. GitHub said that accounts protected by hardware security keys are not vulnerable to this attack.

Hackers are using malicious OAuth apps to take over Exchange servers and spread spam

Microsoft has warned of a malicious campaign where threat actors compromise Azure tenant accounts using stolen credentials, create a malicious OAuth app on the account that add a malicious inbound connector in the email server. The attacker then use this inbound connector and transport rules designed to help evade detection to deliver phishing emails via the compromised Exchange servers.

NSA, CISA share tips on how to secure OT/ICS critical infrastructure

The National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) have released a Cybersecurity Advisory that details TTPs used by threat actors to compromise operational technology (OT)/industrial control system (ICS) assets and provides recommendations on how to defend against them.

A database containing 350 million Ask.FM user records put up for sale on the dark web

A database containing 350 million Ask.FM (a question and answer social network) user records has been offered for sale on a popular hacker forum. Out of 350 million records 45 million using Single Sign-On login. The fields in the user database include: “user_id, username, mail, hash, salt, fbid, twitterid, vkid, fbuid, iguid” and the hashes are reportedly crackable. According to the seller, that initial access to the database was gained via a vulnerability in Safety Center. The server was first accessed in 2019, and the database was obtained on 2020-03-14.

Back to the list

Latest Posts

Six-year-old TrickGate software service used to deploy Emotet, REvil, Maze malware

Six-year-old TrickGate software service used to deploy Emotet, REvil, Maze malware

The researchers believe that the service id being run by a Russian-speaking underground gang.
31 January 2023
Hackers stole encrypted code signing certs for GitHub Desktop and Atom

Hackers stole encrypted code signing certs for GitHub Desktop and Atom

As a preventive measure the company has revoked the exposed certificates.
31 January 2023
Microsoft urges customers to patch on-premises Exchange servers

Microsoft urges customers to patch on-premises Exchange servers

Vulnerable Exchange servers may provide a way for malicious actors to breach an organization’s network.
30 January 2023