13 January 2023

Cyber security week in review: January 13, 2023


Cyber security week in review: January 13, 2023

SugarCRM zero-day used to breach hundreds of servers

Hundreds of internet-facing SugarCRM servers were hacked using a zero-day exploit for a now-patched vulnerability in the popular SugarCRM customer relationship management system.

The flaw is an authentication bypass issue that allows attackers to bypass implemented authentication process, upload a malicious file and execute it on the server. In attacks observed by Censys, threat actors exploited the bug to deploy a web shell that gives access to compromised systems. In some cases the zero-day was used to deploy cryptomining malware as well.

This year's first Microsoft Patch Tuesday fixes nearly 100 bugs, a Windows zero-day

Microsoft released its first security update for 2023, which contains patches for nearly 100 vulnerabilities affecting the company’s software products, including a zero-day bug said to have been actively exploited in the wild. The zero-day vulnerability (CVE-2023-21674) is a buffer overflow issue related to a boundary error within the Windows Advanced Local Procedure Call (ALPC). A local user can trigger memory corruption and execute arbitrary code with SYSTEM privileges. The bug affects Windows 8.1 - 11 22H2, and Windows Server versions 2012 R2 - 2022 20H2.

Microsoft bugs top list of exploited vulnerabilities affecting financial sector

Vulnerabilities affecting Microsoft products top the list of known security flaws most commonly exploited by threat actors in attacks on organizations in the US financial sector.

An analysis of public internet-facing assets from over 7 million IP addresses belonging to the sector showed that a seven-year-old remote code execution Windows bug (CVE-2015-1635) was one of the most commonly exploited security issues in November 2022, followed by CVE-2021-31206, an RCE flaw in Microsoft Exchange Server, and the infamous “ProxyShell” vulnerabilities (CVE-2021-34523, CVE-2021-31207 and CVE-2021-34473). Other most exploited Exchange bugs include CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065.

Fortinet zero-day exploited in attacks on government orgs

Fortinet published a follow-up report on a FortiOS SSL-VPN zero-day vulnerability (CVE-2022-42475) fixed last December, which it says was exploited by unknown threat actors in attacks on government organizations and government-related targets. The vulnerability is a heap-based buffer overflow issue within the FortiOS.

European police shut down call centers involved in pig butchering scams

A joint international law enforcement effort has taken down a massive call center investment scam operation that lured victims into investing large amounts of money into fake cryptocurrency schemes. Europol estimates that the financial damage to German victims is over two million euro, but the investigation suggests that the number of unreported cases is likely to be much higher. This would mean that the illegal gains generated by the criminal groups, with at least four call centers in eastern Europe, may be in the hundreds of millions of euro.

SweepWizard police app exposed secret details about raids and suspects

SweepWizard, an app used by US law enforcement to coordinate multi-agency raids, leaked the personal details of suspects and police officers involved in major police operations going all the way back to 2011, Wired reported. The leak occurred due to a flaw in the app's API, which reportedly let anyone with a specific URL view data on officers, suspects, and the operations they were engaged in. The exposed info included geographic coordinates of suspects’ homes and the time and location of raids, demographic and contact information, and in some cases suspects’ Social Security numbers.

Cybercriminals abusing ChatGTP for writing malware

According  to a recent report from cybersecurity firm Check Point bad actors are already taking advantage of the AI-based ChatGTPchatbot to develop malicious tools, and some of the cases demonstrated that many cybercriminals using OpenAI have no development skills at all. The company described three separate cases where less experienced cybercriminals would be able to easily recreate workable malware strains capable of infiltrating a network by following the specific instructions provided to them by ChatGTP.

In related news, a joint group of researchers devised a new poisoning attack, dubbed “Trojan Puzzle,” that allows to trick AI-based coding assistants into suggesting insecure code.

Cuba ransomware is now breaching Exchange servers via OWASSRF flaw

Threat actors behind the Cuba ransomware are now using the OWASSRF zero-day exploit previously observed in the Play ransomware attacks to compromise unpatched Microsoft Exchange servers.

OWASSRF, which targets the CVE-2022-41080 Exchange vulnerability, has been used by the Play ransomware gang since late November 2022. Microsoft said that the flaw has also been exploited since at least November 17 by another threat group it tracks as DEV-0671 to hack Exchange servers and deploy Cuba ransomware.

NoName057(16) pro-Russian hackers target Ukraine, NATO countries

Avast and SentinelOne released separate reports detailing activities of a pro-Russian hacktivist group focused on targeting Ukraine and NATO organizations. The group is said to be responsible for the recent DDoS attacks on Denmark’s financial sector, organizations and businesses across Poland and Lithuania, as well as 2023 Czech presidential election candidates’ websites.

Russian cyberattacks could equate to war crimes, Ukraine says

Russian cyberattacks on critical and civilian infrastructure could amount to war crimes, because they directly impact Ukrainian civilians. According to Victor Zhora, chief digital transformation officer at the State Service of Special Communication and Information Protection (SSSCIP) of Ukraine, Russia has launched cyberattacks in coordination with kinetic military attacks as part of its invasion of the country, which could equate to war crimes. He said that Ukrainian authorities are gathering evidence of cyberattacks linked to military strikes to share with the International Criminal Court (ICC) in the Hague, in an effort to support potential prosecutions into Russia's actions.

Russian Cold River hackers targeted US nuclear research labs

A Russian hacker group known as Cold River or Calisto targeted three nuclear research laboratories in the United States last summer. The hackers targeted the Argonne, Brookhaven and Lawrence Livermore National Laboratories using phishing emails that led to fake login pages designed to trick nuclear scientists into revealing their passwords. It’s not clear if these attacks were successful.

Russian Turla APT piggibacks on other hackers’ malware to target Ukraine

A notorious Russia-linked threat actor was observed piggybacking on attack infrastructure used by a decade-old malware to install its own backdoors and steal useful information from targets in Ukraine. Mandiant said it discovered a suspected Turla Team (UNC4210) operation last year that distributed the Kopiluwak reconnaissance tool and Quietcanary backdoor to victims in Ukraine previously hit by the Andromeda malware. UNC4210 re-registered at least three expired Andromeda command and control (C&C) domains and began profiling victims to selectively deploy Kopiluwak and Quietcanary in September 2022, the report said.

VSCode marketplace can be abused to target developers with malicious extensions

A new attack method involving the Visual Studio Code extensions Marketplace can be used by hackers to deliver malicious extensions to developers in a supply chain attack. It was found that it is fairly easy to upload a malicious extension disguised as a legitimate one to the Visual Studio Code Marketplace. Moreover, the marketplace allows a threat actor to use the same name and extension publisher details, including the project repository information.

As an experiment, the researchers created a proof-of-concept (PoC) extension disguised as a popular code formatting extension named “Prettier” with over 27 million downloads, and uploaded it on the Visual Studio Code Marketplace. In just under 48 hours, the rogue extension has amassed more than a thousand installs by active developers worldwide.

Kinsing crypto malware breaching Kubernetes clusters via PostgreSQL

Operators of the Kinsing cryptojacking malware are now compromising Kubernetes clusters by using vulnerabilities in container images and misconfigured PostgreSQL servers to gain initial access to Kubernetes environments. The misconfiguration relates to ‘trust authentication’ setting, which could be leveraged by a threat actor to connect to the Postgres servers without authentication and achieve remote code execution. Microsoft also warns that some network configurations in Kubernetes are susceptible to ARP poisoning, allowing attackers to impersonate applications in the cluster.

Twitter says no evidence that leaked user data was obtained via bug in its systems

Social media giant Twitter said it found no evidence that the recent data leaks allegedly containing phone numbers and email addresses of millions of Twitter users were a result of hackers exploiting a vulnerability in its platform. After an investigation the Twitter security team concluded that the data leaks reported in November and December, 2022, and January 2023 were not a result of a new security breach, but rather “ the data is likely a collection of data already publicly available online through different sources.”

Back to the list

Latest Posts

Russia-linked Nodaria APT adds new Graphiron infostealer to its toolkit

Russia-linked Nodaria APT adds new Graphiron infostealer to its toolkit

The new infostealer was observed in attacks targeting Ukrainian organizations.
8 February 2023
CISA releases tool to recover encrypted VMware ESXi servers

CISA releases tool to recover encrypted VMware ESXi servers

According to CISA’s list of bitcoin addresses, over 2,800 ESXi servers have been encrypted to date.
8 February 2023
Threat actors target Ukrainian government agencies with Remcos spyware

Threat actors target Ukrainian government agencies with Remcos spyware

The attack involves a phishing email ostensibly sent by Ukrtelecom, a major Ukrainian internet service provider.
8 February 2023