20 January 2023

Security week in review: January 20, 2023


Security week in review: January 20, 2023

PayPal suffers credential-stuffing attack affecting 35K customers

Payments processor PayPal said it was hit with a credential-stuffing attack in December 2022 that impacted nearly 35,000 customer accounts. An investigation into the breach revealed that the attackers gained access to the accounts using valid credentials. The company said it found no evidence that credentials were obtained from PayPal systems.

Hackers stole data of 37M T-Mobile customers

US wireless carrier T-Mobile disclosed a huge data breach impacting around 37 million current postpaid and prepaid customer accounts. As per the company’s statement, the intruder used an API to obtain to obtain information, including name, billing address, email, phone number, date of birth, account number, and information such as the number of lines on the account and service plan features. No passwords, payment card information, social security numbers, government ID numbers or other financial account information were compromised.

T-Mobile said it found no evidence that the bad actor breached or compromised its network or systems.

Mailchimp says it was hit with a data breach (again)

Email marketing service provider Mailchimp suffered a data breach following a social engineering attack on its employees and contractors. The threat actor was able to gain access to select Mailchimp accounts using employee credentials that were compromised in the attack. According to the company, 133 Mailchimp accounts were affected.

In March 2022, Mailchimp suffered a similar incident that impacted 319 Mailchimp accounts.

Law enforcement action dismantles Bitzlato crypto exchange allegedly used to launder illicit funds

French authorities, working with Europol and partners in Spain, Portugal, and Cyprus, dismantled digital infrastructure of Bitzlato, a Hong Kong-based cryptocurrency exchange that allegedly processed more than $700 million dollars’ worth of illicit funds, including more than $15 million in ransomware payments. The US Department of Justice has also announced the arrest of Anatoly Legkodymov (aka “Gendalf” and “Tolik”), a Russian national and Bitzlato’s founder. Legkodymov has been arrested on Tuesday night in Miami and charged with money laundering.

Exploit released for critical Zoho ManageEngine RCE bug

Security researchers released a proof-of-concept exploit code for a remote code execution (RCE) vulnerability in multiple Zoho ManageEngine products. The flaw (CVE-2022-47966) stems from an unspecified error in the Apache Santuario, which affects Zoho ManageEngine products, when Security Assertion Markup Language (SAML) SSO is enabled. A remote non-authenticated attacker can bypass authentication process and compromise the affected system.

The exploit only works if SAML single-sign-on has been previously enabled. However, organizations using any of the affected ManageEngine products are strongly advised to update immediately and review unpatched systems for signs of compromise.

Multiple internet-facing Cacti servers vulnerable to actively exploited flaw

Thousands of internet-exposed Cacti installations are vulnerable to a critical security flaw (CVE-2022-46169) that is being actively used in attacks. Censy’s researchers said they identified 6,400 internet-accessible Cacti hosts, out of these only 26 were running a patched version of the software.

Chinese hackers are using Fortinet zero-day to deploy BoldMove backdoor

Mandiant has spotted a new cyber-espionage campaign by Chinese hackers that leverages a FortiOS SSL-VPN zero-day vulnerability (CVE-2022-42475) fixed last December to deploy a sophisticated backdoor, dubbed “BoldMove,” specifically designed to run on Fortinet's FortiGate firewalls. Targets have included a government entity in Europe and a managed services provider in Africa. In a report published last week, Fortinet said that CVE-2022-42475 was exploited in attacks on government organizations and government-related targets.

Thousands of Sophos Firewall devices still vulnerable to critical flaw

More than 99% of internet-facing Sophos Firewall appliances were found to be vulnerable to a critical zero-day issue (CVE-2022-3236) that was fixed in September 2022. According to Sophos, this bug was exploited in attacks targeting a small set of specific organizations, primarily in the South Asia region.

New backdoor based on leaked CIA’s Hive spyware spotted in the wild

Qihoo Netlab 360's researchers have spotted a new backdoor based on US CIA’s Project Hive malware control system leaked by WikiLeaks in 2017 as part of its Vault 8 CIA leak series.

The researchers came across the new malware in October 2022, when one of their honeypots caught a suspicious ELF file spread via an unidentified vulnerability in F5 products. The malicious code was contacting the IP address 45.9.150.144 using SSL with forged Kaspersky certificates.

Norton Password Manager accounts targeted in credential-stuffing attack

Gen Digital, formerly Symantec Corporation and NortonLifeLock, warned its customers that hackers attempted to break into Norton accounts, and possibly password managers, using a third-party list of stolen username and password combinations. An internal investigation that ran until December 22 found that the attacks started from December 1, and that a number of accounts were successfully compromised. More specifically, the attackers performed a credential stuffing attack where they used credentials bought from the dark web to attempt to log into customers’ accounts.

CircleCI engineers’ laptop compromise led to a security breach

Software company CircleCI shared additional details on a security breach that came to light in early January. The company said it first learned of the unauthorized access to its systems after a customer reported that their GitHub OAuth token had been compromised. An investigation into the incident found that the intruders gained access to CircleCI’s network via its engineer’s laptop infected with an information-stealing malware.

Russian hackers attempt to bypass ChatGPT’s restrictions for malicious use

Russian cybercriminals are looking for ways to bypass OpenAI’s API restrictions to gain access to the ChatGPT chatbot for malicious purposes. Check Point researchers observed multiple discussions on underground forums on how to bypass IP addresses, payment cards and phone numbers controls – all of which are needed to gain access to ChatGPT from Russia.

Russian darknet market Solaris hacked by rivals

Solaris Market, a large Russian darknet drug marketplace, has reportedly been hacked by its much smaller rival, the recently-launched Russian language drug marketplace known as Kraken. The Kraken team said that it took them three days to steal the clear text passwords and keys stored in Solaris' servers and disable their rival's Bitcoin server. Elliptic has confirmed there has been no movement in Solaris-affiliated bitcoin addresses since January 13.

The world's first large-scale cyberwar doesn’t incorporate new “types of weapons,” Ukraine says

Ukrainian authorities released a report detailing Russian conflict and Russia's concept of hybrid warfare, which combines conventional, economic, cyber, informational, and cultural attacks. Experts said that there is no reason to believe that the intensity of Russian cyberattacks will decrease, the question is what they will be focused on.

Yum Brands says nearly 300 restaurants in UK impacted due to ransomware

Yum Brands, the owner of quick-service chains Taco Bell, Pizza Hut, and KFC, was hit by a ransomware attack that forced the company to close nearly 300 restaurants in the United Kingdom for a day. Although data was taken from the company’s network and an investigation is ongoing, at this stage, there is no evidence that customer databases were stolen, Yum Brands said.

Researchers release free decryptor for BianLian ransomware

Anti-virus maker Avast released a free decryptor for victims of the BianLian ransomwareto help them recover their files without paying a ransom.

GitHub Codespaces feature can be abused to deliver malware

A legitimate feature in GitHub Codespaces can be abused to deliver malware to victim systems. Trend Micro found that publicly-shared forwarded ports can be abused by threat actors to create a malware file server using a legitimate GitHub account. The researchers created a proof-of-concept (PoC) exploit demonstrating how a threat actor could create a codespace with a publicly exposed port and use the same as a file server, which downloads malware from an attacker-controlled domain.

Back to the list

Latest Posts

Russia-linked Nodaria APT adds new Graphiron infostealer to its toolkit

Russia-linked Nodaria APT adds new Graphiron infostealer to its toolkit

The new infostealer was observed in attacks targeting Ukrainian organizations.
8 February 2023
CISA releases tool to recover encrypted VMware ESXi servers

CISA releases tool to recover encrypted VMware ESXi servers

According to CISA’s list of bitcoin addresses, over 2,800 ESXi servers have been encrypted to date.
8 February 2023
Threat actors target Ukrainian government agencies with Remcos spyware

Threat actors target Ukrainian government agencies with Remcos spyware

The attack involves a phishing email ostensibly sent by Ukrtelecom, a major Ukrainian internet service provider.
8 February 2023