NSA warns of Chinese hackers exploiting Citrix zero-day

A Chinese state-sponsored threat actor is actively exploiting a zero-day vulnerability in Citrix Application Delivery Controller (ADC) and Gateway solution to compromise affected systems, the US National Security Agency (NSA) has warned.

The said zero-day is tracked as CVE-2022-27518 and allows an unauthenticated attacker to execute commands remotely on vulnerable devices and hijack them. The bug affects the following versions: Citrix ADC and Citrix Gateway 13.0 before 13.0-58.32; Citrix ADC and Citrix Gateway 12.1 before 12.1-65.25; Citrix ADC 12.1-FIPS before 12.1-55.291; Citrix ADC 12.1-NDcPP before 12.1-55.291. Citrix ADC and Citrix Gateway version 13.1 is unaffected.

Hackers target Ukraine with malicious Windows 10 installers

A threat actor, tracked by Mandiant as UNC4166, has used trojanized versions of the Windows 10 OS installer spread via Ukrainian and Russian language torrent websites to infect local government entities with malware. These installers were used to deploy malware capable of collecting data from compromised computers, download additional malicious tools, and exfiltrating stolen data to attacker-controlled servers. According to Mandiant, the organizations targeted in this campaign were previously on the target list of APT28 state-sponsored hackers linked to Russian military intelligence.

Microsoft’s December 2022 Patch Tuesday fixes nearly 50 bugs, 1 zero-day

Microsoft has released its monthly batch of security updates for the Windows operating system components and software products that address about 50 security vulnerabilities, including a zero-day flaw exploited by hackers.

Tracked as CVE-2022-44698, the zero-day vulnerability in question is a Windows SmartScreen Security feature bypass issue that allows a remote attacker to bypass implemented security restrictions.

Apple patches tenth iOS zero-day since the start of 2022

Apple has issued security updates for iOS, iPadOS, macOS, tvOS, and Safari web browser to address a zero-day vulnerability that allows remote code execution. Tracked as CVE-2022-42856, the bug is a type confusion issue that resides in Apple's Webkit web browser browsing engine. A remote attacker can execute arbitrary code on the target system by tricking the victim into visiting a specially crafted website.

Fortinet releases emergency updates for severe FortiOS bug actively exploited in the wild

Fortinet has released emergency patches for a severe security vulnerability impacting its FortiOS SSL-VPN solution said to have been exploited in real-world attacks.

Tracked as CVE-2022-42475, the bug is a heap-based buffer overflow issue that allows a remote attacker to execute arbitrary code on the system. The issue impacts the following products: FortiOS version 7.2.0 through 7.2.2; FortiOS version 7.0.0 through 7.0.8; FortiOS version 6.4.0 through 6.4.10; FortiOS version 6.2.0 through 6.2.11; FortiOS-6K7K version 7.0.0; through 7.0.7; FortiOS-6K7K version 6.4.0 through 6.4.9; FortiOS-6K7K version 6.2.0 through 6.2.11; FortiOS-6K7K version 6.0.0 through 6.0.14.

Researchers found a way to bypass popular WAFs

Researchers with cybersecurity firm Claroty said they discovered a new method that allows to bypass web application firewalls (WAFs) from various vendors, including Palo Alto Networks, Amazon Web Services, Cloudflare, F5, and Imperva.

According to the researchers, the new technique involves appending JSON syntax to SQL injection payloads that a WAF is unable to parse.It was discovered that major WAF vendors did not implement JSON support in their products. While most WAFs will easily detect SQLi attacks, prepending JSON to SQL syntax allows to circumvent protections.

Uber investigates a new data breach after a third-party vendor hack

Ride-hailing giant Uber Technologies is investigating the breach of a third-party vendor that reportedly resulted in the leak of data from the company, including employee email addresses. The leaked data included what is claimed to be source code associated with mobile device management platforms (MDM) used by Uber and Uber Eats and third-party vendor services, IT asset management reports, data destruction reports, Windows domain login names and email addresses, and other corporate information.

Ukrainian state railway, government agencies targeted by DolphinCape malware

Ukraine’s Computer Emergency Response Team (CERT-UA) has warned of a new wave of phishing attacks that target Ukrainian state railway and government agencies in order to infect systems with the DolphinCape malware.

The attack involves phishing emails with a malicious attachment ostensibly sent by Ukraine’s State Emergency Service with recommendations on how to identify Iranian-made Shahed-136 kamikaze drones that Russia is continually using to attack crucial energy infrastructure in Ukraine. As of December, the terrorist state has damaged nearly 50% of Ukraine’s energy infrastructure, including all thermal and hydroelectric power plants.

Cloud Atlas cyber-espionage group targets entities in Russia, Belarus

Check Point has an interesting report out on activities of a cyber-espionage group known as Cloud Atlas (Inception) that shifted its focus on Russia and Belarus, as well as conflicted areas in Ukraine and Moldova since the start of the Russia’s invasion.

Researchers detail inner workings of Azov ransomware

Another report from Check Point sheds light on the inner workings of Azov Ransomware, a wiper designed to corrupt data and “inflict impeccable damage” to compromised systems. The researchers said that hundreds of new Azov-related samples are being submitted to VirusTotal every day. As of November 2022, there were more than 17,000 samples observed.

Azov, which has been described as an “effective, fast, and unfortunately unrecoverable data wiper,” is distributed via the “SmokeLoader” botnet.

NIST retires SHA-1 cryptographic algorithm

US National Institute of Standards and Technology (NIST) has announced the formal retirement of the SHA-1 cryptographic algorithm due to presence of vulnerabilities that make its further use inadvisable. The organization is now recommending that IT professionals, companies, and software vendors, replace SHA-1 with newer, more secure SHA-2 or SHA-3 algorithms. The organizations should phase SHA-1 out by December 31, 2030, the agency said.

Personal info of 5.7M Gemini users put up for sale on a hacker forum

Gemini crypto exchange has confirmed that the email addresses and incomplete phone numbers of some of its customers were stolen during a security incident at one of its service providers and that its users are now being targeted with phishing attacks. The announcement comes after multiple posts emerged on a hacker forum offering to sell a database allegedly containing phone numbers and email addresses of 5.7 million Gemini users for a price of 30 bitcoins.

Hacker compromised FBI’s InfraGard portal

A hacker has reportedly gained access to the database of InfraGard, an FBI-run outreach program that shares sensitive information on national security and cybersecurity threats with public officials and private sector actors who run US critical infrastructure. The attacker posted samples of the database on a popular cybercriminal forum and said they were asking $50,000 for the entire database that contain information for more than 80,000 InfraGard members, including names, affiliations and contact information.

Chinese hackers target Japanese political entities with new MirrorStealer malware

Security researchers at ESET released a report detailing a new spear-phishing campaign targeting Japanese political entities orchestrated by a Chinese-speaking threat actor codenamed MirrorFace. Dubbed “Operation LiberalFace,” the campaign was focused on members of an unnamed political party with the goal of delivering an implant called LODEINFO and a previously undocumented credential stealer called MirrorStealer.

Hackers use Microsoft-signed malicious drivers to deploy ransomware

Microsoft has revoked several hardware developer accounts after drivers certified by Microsoft's Windows Hardware Developer Program were used as part of post-exploitation activity, including incidents leading to ransomware infections.

The probe into the matter was launched following reports from Mandiant, Sophos, and SentinelLabs that found that a Microsoft-approved malicious driver was leveraged by threat actors, including those affiliated with the Cuba ransomware gang. The driver had also been observed in several intrusions at a variety of organizations in the last four months, notably at telecommunication, BPO, MSSP, and financial services businesses.

FBI seizes 48 domains that sold DDoS-for-Hire services

The US Department of Justice announced it seized 48 internet domains that offered so-called “booter” or “stresser” services that allowed cybercriminals to launch distributed denial-of-service (DDoS) attacks. The US authorities have also charged six individuals allegedly involved in running the DDoS-for-Hire services.