3 February 2023

Cyber security week in review: February 3, 2023

Cyber security week in review: February 3, 2023

LockBit ransomware attack on financial software firm ION Group impacts derivatives trades

ION Group, a Dublin-based trading technology provider, was hit by a ransomware attack that forced several European and US banks and brokers to resort to manually processing trades. In a short statement the company said the incident, which took place on January 31, 2023, affected its Cleared Derivatives division and was “contained to a specific environment, affected servers disconnected and the remediation of services is underway.”

While the provider did not name the culprit behind the hack, the LockBit ransomware-as-a-service group added ION to its dark web data leak site, stating that it will publish “all available data” on the morning of February 4 if demands aren’t met. Security experts note if LockBit did indeed steal data from ION, the leak of sensitive information belonging to large investors may cause significant financial and organizational damage.

Hackers stole encrypted code signing certs for GitHub Desktop and Atom

GitHub revealed that unknown hackers stole encrypted code signing certificates for its Desktop and Atom applications after gaining access to a set of repositories of the afore mentioned apps. The incident took place on December 6, 2022, the company said. The certificates were password-protected, and, so far, GitHub has no evidence that the certs were decrypted or maliciously used.

A zero-day in GoAnywhere MFT exploited in hacker attacks

Threat actor are exploiting a zero-day vulnerability in the GoAnywhere MFT file transfer protocol, security researchers warn.

The zero-day bug resides in the administrative web interface and could be exploited by a remote attacker to achieve remote code execution via a malicious request. No patch is currently available for this flaw.

Fortinet VPN bug increasingly exploited in the wild

GrayNoise says it observed a significant increase in credential brute force attempts against Fortinet SSL VPN devices using the CVE-2022-42475 bug disclosed last December. The security issue is a heap-based buffer overflow vulnerability in FortiOS SSL-VPN, which may allow a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests.

As of January 31, GreyNoise has observed 13,513,728 login attempts against this vulnerability. The company said it is not aware of any publicly available Proof-of-Concept (PoC) code for CVE-2022-42475 at this time.

Microsoft urges customers to patch on-premises Exchange servers

Microsoft has urged its customers to patch their on-premises Exchange servers as soon as possible, as unpatched servers may provide a way for malicious actors to breach an organization’s network. To defend servers against attacks exploiting known vulnerabilities administrators are advised to install the latest supported Cumulative Updates (CU12 for Exchange Server 2019, CU23 for Exchange Server 2016, and CU23 for Exchange Server 2013, January 2023 SU).

Russian Sandworm hackers hit Ukraine with new destructive wipers

ESET threat research group has discovered two new strains of data wiping malware they dubbed “SwiftSlicer” and “NikoWiper” used in attacks against Ukraine. The both wipers were attributed to Sandworm, a state-backed hacker group linked with Russia’s Main Directorate of the General Staff of the Armed Forces (GRU).

SwiftSlicer is written in Go programming language and is designed overwrite crucial files used by the Windows operating system. The new malware was spotted on January 25 in a cyberattack targeting an organization in Ukraine. The malware was deployed through Group Policy, suggesting the threat actor hijacked the victim’s Active Directory environment.

NikoWiper is based on SDelete, a command line utility from Microsoft that is used for securely deleting files. This data wiper was used in an attack on an unnamed Ukrainian energy company last October.

Winter Vivern hackers spoof Ukraine's Foreign Affairs Ministry to lure victims

Ukraine's CERT team discovered a new phishing campaign that impersonates an official website of Ukraine's Foreign Affairs Ministry to trick visitors into downloading malicious software meant to steal data from their systems. CERT-UA tracks this activity as UAC-0114 (aka Winter Vivern).

A joint investigation with Poland's CERT team revealed similar websites operated by the same threat actor that spoofed the websites of the Ministry of Defense of Ukraine, the Security Service of Ukraine, and the Polish Police.

Russia-linked Gamaredon targets Ukrainian authorities with new spyware variants

The State Cyber Protection Center of Ukraine released a technical report detailing the Techniques, Tactics, and Procedures (TTPs) used by the Gamaredon (UAC-0010, Armageddon, Actinium, Iron Tilden, Primitive Bear, Shuckworm, Trident Ursa) threat actor in recent attacks targeting Ukrainian organizations. The group is leveraging a multi-step download approach and executing payloads of the spyware used to maintain control over infected hosts. For now, Gamaredon uses GammaLoad and GammaSteel spyware in their campaigns.

North Korean Lazarus Group targets medical research and tech orgs via unpatched Zimbra servers

A new cyber-espionage campaign linked to a well-known North Korea-affiliated threat actor called “Lazarus Group” has exploited several vulnerabilities in unpatched Zimbra servers to gain access to victim organizations and steal data. The new operation codenamed “No Pineapple” targeted public and private sector research organizations, the medical research and energy sector, as well as their supply chain.

The attackers gained initial access to the victim organization by exploiting a pair of vulnerabilities (CVE-2022-27925, CVE-2022-37042) in a vulnerable Zimbra mail server. They then installed commodity webshells and tunnelling/relay software (Putty Plink and 3Proxy). After this the threat actor exploited a local privilege escalation bug (CVE-2021-4034) in the pkexec utility to gain root privileges.

North Korea-linked hackers stole $1.7b in 2022

A new report from blockchain analysis firm Chainalysis says that a record $3.8 billion was stolen from cryptocurrency businesses in 2022, with North Korea-backed hackers said to have been responsible for the vast majority of crypto thefts. Last October became the biggest single month ever for cryptocurrency hacking, as $775.7 million was stolen in 32 separate attacks.

It is estimated that North Korean hacker stole $1.7 billion worth of cryptocurrency across several hacks in 2022.

Iranian APT35 adds a new backdoor to its arsenal

Trend Micro released a report detailing a recent campaign by an Iran-linked threat actor APT34 (OilRig) targeting entities in the Middle East that uses a new backdoor called “RedCap”.

Hackers abuse Microsoft’s “verified publisher” status to sneak into cloud environments

Threat actors used malicious OAuth applications that took advantage of Microsoft’s “verified publisher” status to breach organizations’ cloud environments and gain access to users' emails. The attackers used their bogus status as verified app publishers within the MCPP program to compromise cloud environments of organizations in the UK and Ireland. The campaign targeted employees in finance and marketing, as well as managers and executives.

Six-year-old TrickGate software service used to deploy Emotet, REvil, Maze malware

A malicious live software service called TrickGate has been used by threat actors to bypass endpoint detection and response (EDR) protection software and antivirus programs for over six years.

First spotted in July 2016, TrickGate is a shellcode-based packer offered as a service, which over the past several years was used to deploy various types of malware, such as ransomware, RATs, info-stealers, bankers, and miners, including Cerber, Trickbot, Maze, Emotet, REvil, Cobalt Strike, AZORult, Formbook, CoinMiner, Remcos, Lokibot, and AgentTesla. Furthermore, the service is regularly used by state-sponsored hacker groups to wrap their malicious code to prevent detection by security solutions.

LockBit ransomware gang releases LockBit Green version

The LockBit ransomware group released a new version of their ransomware, called LockBit Green designed to target cloud-based services. This is the third version of the ransomware, previous two variants are tracked as LockBit Red and LockBit Black. Interestingly, LockBit Green appears to have been built on the source code of the Conti ransomware (v3 version) leaked online by a Ukrainian security researcher in March 2022.

Top 10 ransomware attacks earned hackers $70 billion 

Immunefi, a bug bounty and security platform for Web3, released its top crypto ransomware payments report, according to which ten major ransomware attacks observed since 2020 earned cybercriminals a total of total $69,316,140 in ransom payments. These include CNA Financial ($40 million), JBS ($11 million), CWT ($4.5 million), Brenntag ($4.5 million), and Colonial Pipeline ($4.4 million).

HeadCrab botnet infected over 1,200 Redis servers

At least 1,200 Redis database servers worldwide have been ensnared into a botnet using state-of-the-art and custom-made malware dubbed HeadCrab since early September 2021. A significant number of infections has been observed in China, Malaysia, India, Germany, the UK, and the US to date.

Passion DDoS botnet used in attacks on medical institutions in the US, Europe

DDoS mitigation service Radware discovered a new DDoS botnet called “Passion” that has been recently used in cyberattacks targeting medical institutions across the United States and Europe, including Portugal, Spain, Germany, Poland, Finland, Norway, Netherlands, and the UK. Researchers linked these attacks that were carried out in retaliation for sending tanks in support of Ukraine to several pro-Russia hacktivist groups such as Killnet and Anonymous Russia.

Back to the list

Latest Posts

US authorities charge two Russians with 2011 Mt. Gox hack

US authorities charge two Russians with 2011 Mt. Gox hack

Bilyuchenko and Verner allegedly stole about 647,000 bitcoins from Mt. Gox between September 2011 through at least May 2014.
12 June 2023
Pro-Ukraine hackers take down Russian telco, disrupt banking operations

Pro-Ukraine hackers take down Russian telco, disrupt banking operations

The breach at Infotel is said to have impacted multiple major banks across Russia who were unable to make online payments for more than a day.
12 June 2023
Cyber security week in review: June 9, 2023

Cyber security week in review: June 9, 2023

The world in brief: Clop likely has been exploiting the MOVEit 0Day since 2021, over $35M in crypto stolen in the Atomic Wallet hack, and more.
9 June 2023