7 October 2022

Cyber security week in review: October 7, 2022

Cyber security week in review: October 7, 2022

Microsoft updates MS Exchange zero-day mitigations

Microsoft has updated the guidance for the two not yet patched Microsoft Exchange zero-day vulnerabilities after security researchers demonstrated that the original mitigations were easy to bypass.

Collectively known as “ProxyNotShell,” the two zero-day vulnerabilities (CVE-2022-41040 and CVE-2022-41082) affect Microsoft Exchange Server 2013, 2016, and 2019. A China-linked threat group have been observed exploiting the vulnerabilities to deploy Chinese Chopper web shells on compromised servers for persistence and data theft, as well as move laterally to other systems on the victims' networks.

Binance Smart Chain halted after $560M bridge hack

Binance has halted its Binance Smart Chain (BSC) blockchain bridge project after a hacker used an exploit to generate and steal 2 million Binance Coins (BNB), worth around $560 million. About $87 million was moved out of the Binance ecosystem but the hacker was unable to steal the rest of the funds because the Binance Smart Chain was suspended.

Cybersecurity authorities share TOP20 vulnerabilities used by Chinese hackers

The US National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), and Federal Bureau of Investigation (FBI) released a joint security advisory highlighting 20 vulnerabilities most commonly used by Chinese cyber actors to target government networks as well as software and hardware companies to steal intellectual property and develop access into sensitive networks.

BlackBytes ransomware abuses Windows driver to bypass security products

The operators behind the BlackByte ransomware are using a new technique to bypass security solutions. Dubbed “Bring your own vulnerable driver” (BYOVD), the technique exploits a known vulnerability in a legitimate Windows driver (RTCore64.sys and RTCore32.sys) in order to achieve successful kernel-mode exploitation and take over compromised systems. More detailed analysis on how this method works is available here.

A 19-year-old Australian arrested for allegedly using leaked Optus data in SMS scam

The Australian Federal Police (AFP) have apprehended a 19-year-old teen in Sydney for allegedly using Optus customer data leaked last month to perpetrate SMS blackmail.

The suspect reportedly used 10,200 records briefly posted on a hacker forum last month to contact victims via text messages and demanding that they send AUD 2,000 ($1,300) to his bank account, or else their data would be sold to other cybercriminals. The scam messages were sent to 93 Optus customers who had their data exposed on the hacker forum.

The police said that “at this stage it appears none of the individuals who received the text message transferred money to the account.”

New RatMilad Android spyware targets enterprise devices

Security researchers discovered a novel Android spyware family they dubbed “RatMilad” that targets Middle Eastern enterprise mobile devices by pretending to be a VPN and phone number spoofing app.

The phone spoofing app is distributed through links on social media and communication tools, encouraging them to sideload the fake toolset and enable significant permissions on the device. But in reality, the novel RatMilad spyware is installed by sideloading, enabling the attacker take control of the mobile device.

New Maggie backdoor targets Microsoft SQL servers

A new malware dubbed “Maggie” is targeting Microsoft SQL servers, and is said to have already infected hundreds of machines worldwide. The malware is delivered in the form of a signed Extended Stored Procedure (ESP) DLL file, which cam be controlled solely using SQL queries. Maggie supports a variety of functions, including the ability to run commands and interact with files, and can be used by the hackers to gain access to the compromised environment.

The highest number of infections were observed in South Korea, India, Vietnam, China, Russia, Thailand, Germany, and the United States.

Ukraine dismantles a large-scale bot farm used for Russian propaganda

Ukraine’s cyber police disrupted a massive bot farm that spread Russian propaganda and fake news about the war in Ukraine. The bot farm comprised over 50,000 bots, and was growing with 3,000 fake accounts every week. In addition to disinformation and propaganda, the bot accounts also advertised phishing scams.

LilithBot malware linked to Eternity MaaS

Security researchers discovered a new piece of malware called LilithBot, which has advanced capabilities, including botnet functionality, and can act as an information stealer, clipper, and miner. LilithBot is believed to have been developed by the Jester Group, a Russian cyber crime team that runs the Eternity Malware-as-a-Service (MaaS). Eternity uses an as-a-service subscription model to distribute different Eternity-branded malware modules in underground forums, including a stealer, miner, botnet, ransomware, worm+dropper, and DDoS bot.

Researchers share details on a supply chain vulnerability in Packagist PHP repository

Researchers at code security company SonarSource released technical details on the now-patched vulnerability affecting Packagist, which could have been abused to launch supply chain attacks targeting the PHP community. The flaw, tracked as CVE-2022-24828, impacts the PHP package manager Composer, which serves 2 billion software packages every month.

The vulnerability was patched with the release of the Composer versions 2.3.5, 2.2.12, 1.10.26 in April 2022.

Popular commercial chat provider compromised to spread malware in supply chain attack

Suspected Chinese hackers have hijacked the installer for the Comm100 Live Chat app to distribute malware in what appears to be a supply chain attack similar to the SolarWinds compromise. The attack occurred from at least September 27, 2022 through the morning of September 29, 2022. Organizations affected include companies in the industrial, healthcare, technology, manufacturing, insurance and telecommunications sectors in North America and Europe.

NetWalker ransomware affiliate sentenced to 20 years in US prison

Sebastian Vachon-Desjardins, a former NetWalker ransomware affiliate, was sentenced to 20 years in prison and ordered to forfeit $21.5 million for his role in NetWalker ransomware attacks that targeted dozens of victims all over the world, including enterprises, municipalities, hospitals, law enforcement, emergency services, school districts, colleges, and universities. Vachon-Desjardins, who is said to have obtained at least over $27.6 million as a result of the illicit activities, was extradited from Canada to the United States in March 2022.

Multiple APTs maintained long-term access to a US military contractor

The NSA, CISA, and the FBI have released a joint security advisory detailing malicious activity by state-sponsored hacker groups that used custom malware to pilfer sensitive data from a US organization in the Defense Industrial Base (DIB) sector.

An investigation into the intrusion revealed that the organization’s network was compromised by multiple threat actors and that some APTs maintained long-term access to the environment. The threat actors leveraged an open-source toolkit called Impacket to gain their foothold within the environment and further compromise the network, and also used a custom data exfiltration tool, CovalentStealer, to steal the victim’s sensitive data.

Security researchers release a free decryptor for the Hades ransomware

Cybersecurity firm Avast has released a free tool that allows to recover files encrypted by the Hades ransomware.

Back to the list

Latest Posts

Microsoft: Russia combines missile and cyberattacks in Ukraine

Microsoft: Russia combines missile and cyberattacks in Ukraine

In parallel with cyber threat activity Russia would likely conduct influence operations targeting Europe to undermine military and humanitarian assistance to Ukraine.
5 December 2022
Spanish police dismantle 'Black Panthers' SIM swap group

Spanish police dismantle 'Black Panthers' SIM swap group

The scammers stole about €250,000 from nearly 100 victims.
5 December 2022
Google releases emergency security update to fix Chrome zero-day bug

Google releases emergency security update to fix Chrome zero-day bug

With the new update the tech giant fixed the ninth Chrome zero-day since the start of 2022.
5 December 2022