24 March 2023

Cyber security week in review: March 24, 2023

Cyber security week in review: March 24, 2023

BreachForums shut down after alleged owner’s arrest

The notorious BreachForums hacking forum has closed after its current administrator known as “Baphomet” disclosed that they believe that law enforcement likely has access to the site’s servers. The decision comes after 22-year-old Conor Brian Fitzpatrick (aka “Pompompurin”) believed to be the leading administrator of BreachForums was arrested in New York last week.

Bitcoin ATM maker General Bytes suffers a $1.5M hack

Major crypto ATM manufacturer General Bytes has disclosed a security breach, where hackers stole over $1.5 million in cryptocurrency using a zero-day vulnerability in its software. The incident took place on March 17-19.

According to a security advisory published by General Bytes, the threat actor uploaded a malicious Java application remotely via the master service interface used by terminals to upload videos and run it using batm user privileges. This allowed the attacker to access the database, read and decrypt API keys used to access funds in hot wallets and exchanges, steal funds from hot wallets, download user names with their password hashes and turn off two-factor authentication, as well as access terminal event logs and scan for any instance where customers scanned private key at the ATM.

China-linked hackers weaponized most of zero-days in 2022

According to a report from Mandiant, 55 zero-days were actively exploited last year, most targeting Microsoft, Google, and Apple software. Of the 55 zero-day vulnerabilities, 13 are estimated to have been abused by cyber espionage groups, four were exploited by financially motivated threat actors in ransomware operations. Commercial spyware vendors were linked to the exploitation of three zero-days.

Google suspends main Chinese shopping app Pinduoduo over malware concern

Google suspended the Play version of the Chinese shopping app Pinduoduo made by Chinese ecommerce giant PDD Holdings after discovering malware in off-Play versions of the software. The move comes after multiple Chinese security researchers reported that Pinduoduo Android versions contained malware designed to monitor users. While Google Play Store is not available in China, malicious versions of the app were discovered on the custom app stores of some electronics companies like Samsung, Huawei, Oppo and Xiaomi.

Lionsgate streaming platform exposed data of 37M users

Video streaming platform Lionsgate Play exposed sensitive data on millions of its users that was stored on an unprotected ElasticSearch instance, Cybernews research team found. The vulnerable instance contained 20GB of server logs with nearly 30 million entries. Some of the data dates back to May 2022, and included user IP addresses as well as information on user devices, operating systems, and web browsers.

City of Toronto, Virgin, Hitachi hit with Cl0p GoAnywhere attacks

Japanese tech giant Hitachi confirmed that it was targeted by Clop ransomware actors through a zero-day vulnerability (CVE-2023-0669) in the Fortra GoAnywhere secure file transfer protocol. The company said that currently there’s no indication that its network operations or customer data was affected in the breach.

The City of Toronto and British multinational conglomerate Virgin reported they were also targeted in similar attacks, with Cl0p actors obtaining unauthorized access to data.

Ferrari discloses data breach, refuses to pay ransom demand

Italian luxury sports car maker Ferrari revealed it has suffered a data breach after it received a ransom demand from threat actors who compromised the company’s IT systems. The company said that a threat actor gained access to a limited number of its IT systems and some customer data, including names, addresses, email addresses, and phone numbers. Ferrari says it found no evidence that sensitive payment details or information on Ferrari cars owned or ordered have been stolen in the attack.

The company also stated that it “will not be held to ransom as paying such demands funds criminal activity and enables threat actors to perpetuate their attacks.”

North Korea-linked Kimsuky APT targets experts with new spear-phishing attacks

German and South Korean government agencies issued joint security advisory warning of a new spear-phishing campaign by North Korean state-sponsored hacker group Kimsuky (aka Thallium, Velvet Chollima) targeting experts on the Korean Peninsula and North Korea issues.

The threat actor uses two attack methods to gain access to victims’ Google accounts - the infection of Android phones via a malicious app on Google Play and the use of a malicious Chromium web browser extension.

Chinese hackers target Middle East telecom providers

SentinelOne released a report detailing a new campaign against telecommunication providers in the Middle East, which has been linked to Operation Soft Cell, a long-running operation by China-affiliated actors that has been targeting telecommunications providers since at least 2012.

The initial attack phase involves infiltrating Internet-facing Microsoft Exchange servers to deploy webshells used for command execution. Once a foothold is established, the attackers conduct a variety of reconnaissance, credential theft, lateral movement, and data exfiltration activities.

Popular Web3 apps found to be vulnerable to Red Pill attacks

Developers of crypto wallet ZenGo have warned of a security weakness in transaction simulation solutions used by popular decentralized applications, (dApps) that allows malicious dApps steal user assets based on opaque transaction approvals offered to and approved by the users.

ZenGo team says they found six cryptocurrency wallet providers vulnerable to Red Pill attacks, including Coinbase, Rabby Wallet, Pocket Universe, Fire, and Blowfish. All affected vendors have released fixes to address the issue.

New stealthy NUIT attack allows to remotely control Siri, Alexa and other smart voice assistants

A team of academics from The University of Texas at San Antonio devised a new method that involves the use of inaudible sounds embedded in regular audio and video files to send malicious commands to voice assistants.

The new attack, dubbed NUIT (Near-Ultrasound Inaudible Trojan), works on popular smart voice assistants like Siri, Google Assistant, Alexa or Amazon’s Echo and Microsoft Cortana.

To execute the NUIT attack an attacker needs to trick the victim into listening or watching malicious audio or video, for example, a YouTube video with embedded malicious commands, either on a laptop or mobile device.

US cyber authorities share IoCs, TTPs associated with LockBit 3.0 ransomware

US cybersecurity agencies released a security alert detailing the Indicators of Compromise (IoCs) and Tactics, techniques, and procedures (TTPs) associated with the LockBit 3.0 ransomware operation.

Since January 2020, LockBit, also reffered to as LockBit Black, has functioned based on the ransomware-as-a-service (RaaS) model, targeting a wide array of businesses and critical infrastructure entities.

LockBit 3.0, which is a successor to LockBit 2.0, and LockBit versions, is more modular and evasive and shares similarities with Blackmatter and Blackcat ransomware.

New ‘HinataBot’ botnet exploits router and server bugs in DDoS attacks

Akamai researchers have released a report detailing a new Go-based malware they dubbed ‘HinataBot’ that is focused on distributed-denial-of-service (DDoS) attacks.

Infection attempts observed by Akamai include exploitation of the miniigd SOAP service on Realtek SDK devices (CVE-2014-8361), Huawei HG532 routers (CVE-2017-17215), and exposed Hadoop YARN servers (CVE N/A) with weak credentials.

HinataBot is capable of contacting a command-and-control (C&C) server to listen for incoming instructions and initiate attacks against a target IP address for a specified duration.

Back to the list

Latest Posts

Chinese APTs increasingly using ORB networks to mask attack infrastructure

Chinese APTs increasingly using ORB networks to mask attack infrastructure

Mandiant reports that it is actively monitoring several ORB networks, with the most notable being SPACEHOP and FLORAHOX.
23 May 2024
Threat actors exploit vulnerable drivers to disable EDRs in cryptojacking attack

Threat actors exploit vulnerable drivers to disable EDRs in cryptojacking attack

Ghostengine deploys several modules to tamper with security tools, establish a backdoor, and ensure software updates are in place.
22 May 2024
Russia’s DoppelGänger campaign manipulates social media to undermine Western support for Ukraine

Russia’s DoppelGänger campaign manipulates social media to undermine Western support for Ukraine

The campaign uses typosquatted legitimate media outlets and independent news sites to publish disinformation articles.
22 May 2024