10 March 2023

Cyber security week in review: March 10, 2023

Cyber security week in review: March 10, 2023

Suspected core members of DoppelPaymer ransomware gang arrested in Germany, Ukraine

In a joint effort, the German Regional Police, Ukrainian National Police, Europol, Dutch Police, and the US Federal Bureau of Investigations have targeted suspected core members of the notorious DoppelPaymer ransomware gang responsible for multiple devastating cyberattacks against victims worldwide.

As part of the operation, which took place on February 28, 2023, the German police raided the house of a German national, who is believed to have played a major role in the DoppelPaymer ransomware group.

Simultaneously, Ukrainian police officers interrogated a Ukrainian national who is also believed to be a member of the core DoppelPaymer group. During searches at two locations in Kiev and Kharkiv the Ukrainian police seized electronic equipment, which is currently under forensic examination.

FBI seizes a domain that sold the Netwire RAT malware

An international law enforcement operation involving the FBI and law enforcement agencies worldwide has resulted in the takedown of a web domain and hosting server linked to the NetWire remote access trojan used by cybercriminals on a global scale. As part of the law enforcement operation authorities in Croatia arrested a Croatian national who allegedly was the administrator of the website.

US House and Senate members' personal data is being sold on a hacker forum

A threat actor is selling on a hacker forum what they claim is personal data belonging to 170,000 DC Health Link customers, including House of Representatives members' personally identifiable information (PII).

The data is said to have been obtained via a breach at health insurance marketplace DC Health Link, used by residents of Washington, D.C., including White House staffers and their families. The dataset contains names, Social Security numbers, birth dates, addresses, and other sensitive identifying information.

Acer confirms security breach after 160GB of its data leaked on hacker forum

Taiwanese computer giant Acer has admitted it was hacked after a threat actor put up for sale on a popular hacking forum what they claim is 160GB of data stolen from the manufacturer in mid-February 2023.

The offered dataset allegedly contains confidential slides, staff manuals, confidential product documentation for phones, tablets, and laptops, binary files, information on backend infrastructure, disk images, replacement digital product keys, and BIOS-related information.

Acer said that one of its servers for repair technicians was compromised and that there’s no indication that customer data was affected in the hack.

The Emotet botnet returns after three month of inactivity

The notorious Emotet botnet has began sending malicious emails after three-month hiatus. According to Cofense, the malicious emails seem to be replying to already existing email chains, with the addition of an attached .zip file not protected by a password. The email contains a malicious Microsoft Word document, which, when opened, runs a malicious macros that downloads Emotet from an external server.

A new malware targets SonicWall devices

Security researchers with Google-owned Mandiant discovered a suspected Chinese campaign tracked as UNC4540 that targets unpatched SonicWall SMA devices with a new malware capable of user credentials, provide shell access, and persist through firmware upgrades.

The malware consists of a series of bash scripts and a single ELF binary identified as a variant of the TinyShell backdoor. Mandiant says it was not able to determine the origin of the infection, however, the malware, or a predecessor of it, was likely deployed in 2021. The researchers believe that attacker access has persisted through multiple firmware updates.

Transparent Tribe APT spreads CapraRAT backdoor via fake secure messaging apps

A new cyber-espionage campaign has been detected that is targeting Indian and Pakistani Android users with a backdoor called CapraRAT.

The ongoing operation has been linked by ESET researchers to a suspected Pakistan-aligned advanced persistent threat (APT) group known as Transparent Tribe (APT36, Mythic Leopard, ProjectM, Operation C-Major).

The latest Transparent Tribe campaign is focused on Indian and Pakistani Android users – presumably with a military or political orientation. The threat actor is using trojanized secure messaging and calling apps branded as MeetsApp and MeetUp to infect victims with the CapraRAT malware capable of stealing any sensitive information from target devices.

Iranian hackers target people involved in Middle Eastern political affairs research

Secureworks researchers have uncovered a new Iran-linked state-backed cyber-espionage campaign aimed at female human rights activists actively involved in political affairs and human rights in the Middle East region.

The campaign has been attributed to a threat group that cybersecurity company tracks as Cobalt Illusion most commonly known as APT35 or Charming Kitten. In its latest social engineering campaign Cobalt Illusion contacted potential victims using a fake Twitter persona who offered them to contribute to an Atlantic Council report in progress.

North Korean hackers expand their attack arsenal with three malware families

A North Korean cyber-espionage group tracked as UNC2970 has been employing previously unknown malware families (TOUCHMOVE, SIDESHOW, and TOUCHSHIFT) as part of a spear-phishing campaign targeting US and European media and technology organizations since June 2022.

UNC2970 is suspected to be UNC577, also known as Temp.Hermit, that has been active since at least 2013. Additional technical details on this campaign are available in Mandiant’s two-part analysis.

Ukraine’s SSSCIP releases a report on Russia’s cyber tactics

The State Service of Special Communications and Information Protection of Ukraine has a report out on Russia’ tactics in cyberspace detailing Russia’s principal hacking groups, their motivation, attack methods and tools.

New HiatusRAT router malware covertly spies on victims

Security researchers have spotted a previously undocumented malware campaign that targets business-grade routers, namely DrayTek, and infects devices with two malicious binaries - the HiatusRAT malware, and a variant of the tcpdump command line utility that enables packet capture on the target device.

It is estimated that around 100 devices were infected in the campaign, which represents nearly 2% of the total number of DrayTek 2960 and 3900 routers that are currently exposed to the internet. The researchers identified at least 100 victims, mainly located in Europe and Latin America.

Thousands of websites hijacked using legitimate FTP credentials

Cloud security Wiz discovered a widespread redirection campaign that compromised tens of thousands websites aimed at East Asian audiences to redirect users to adult-themed sites.

Active since at least September 2022, the campaign, dubbed “Redirection Roulette,” has been leveraging legitimate FTP credentials previously obtained by threat actors behind this operation.

In each case, the threat actor has injected malicious code into customer-facing web pages that is designed to collect information about visitors’ environments and occasionally redirect them to these other sites.

New advanced FiXS ATM malware targets Mexican banks

Security researchers at Latin American cybersecurity firm Metabase Q have discovered a new malware strain dubbed "FiXS" that has been used in ATM jackpotting attacks in Mexico since the start of February 2023. FiXS is a vendor-agnostic malware that targets any ATM that supports CEN XFS, a suite of protocols and APIs supported by the banking industry.

The malware is hidden within innocuous looking software and interacts with its operators via external keyboard. One of the notable features of FiXS is its ability to dispense money 30 minutes after the last ATM reboot by using the Windows GetTickCount API. The researchers said they have not identified initial infection vector as of yet.

Barcelona’ s major hospital hit with ransomware, thousands of appointments cancelled

The Hospital Clinic de Barcelona, one of Barcelona main hospitals, was hit with a ransomware attack that crippled the facility’s computer system used by numerous laboratories, clinics and emergency room. Following the attack, 150 nonurgent operations and up to 3,000 patient checkups were cancelled, because personnel couldn’t access patients’ clinical records.

According to the regional Catalonian Cybersecurity Agency, the attack was orchestrated from outside of Spain by a group called “Ransom House.” Officials said that the ransomware group used new techniques in the attack, but didn’t elaborate on the matter.

New vulnerabilities in TPM 2.0 library put at risk millions of IoT devices

A pair of vulnerabilities were discovered in the Trusted Platform Module (TPM) 2.0 reference library specification that could potentially lead to information disclosure or privilege escalation.

Tracked as CVE-2023-1017 and CVE-2023-1018, the two discovered bugs are out-of-bounds write and out-of-bounds read issues within CryptParameterDecryption routine that could be used to execute arbitrary code on the system and read contents of the memory.

Back to the list

Latest Posts

Cyber security week in review: March 24, 2023

Cyber security week in review: March 24, 2023

The world in brief: BreachForums data breach site shut down, Bitcoin ATM maker General Bytes suffers a $1.5M hack, and more.
24 March 2023
Lionsgate streaming platform exposed data of 37M users

Lionsgate streaming platform exposed data of 37M users

Researchers discovered an unprotected ElasticSearch instance that contained about 20GB of data.
23 March 2023
New stealthy NUIT attack allows to remotely control Siri, Alexa and other smart voice assistants

New stealthy NUIT attack allows to remotely control Siri, Alexa and other smart voice assistants

The technique involves the use of inaudible sounds embedded in regular audio and video files to send malicious commands.
22 March 2023