31 March 2023

Cyber security week in review: March 31, 2023

Cyber security week in review: March 31, 2023

Global spyware campaigns take advantage of zero-days in iOS, Android

Google’s Threat Analysis Group (TAG) detailed two distinct highly targeted spyware campaigns that used zero-day vulnerabilities and known but unpatched flaws in Android, iOS and Chrome to infect targets’ devices with commercial spyware.

The first campaign spotted in November 2022 targeted iOS and Android devices with two separate exploit chains that were delivered via bit.ly links sent over SMS.

The iOS exploit chain leveraged multiple flaws, including CVE-2022-42856 (a then zero-day), CVE-2021-30900, and a PAC bypass technique, to deliver an .IPA file (iOS application archive) onto the affected device.

The Android exploit chain targeted users on phones with an ARM GPU running Chrome versions prior to 106 and consisted of three exploits: CVE-2022-3723, CVE-2022-4135, and CVE-2022-38181.

The second campaign was discovered in December 2022 and involved an exploit chain consisting of multiple 0-days and n-days targeting the latest version of Samsung Internet Browser. It appears that the campaign targeted UAE users. Google has linked both the exploits and the websites in this campaign to Heliconia, an exploit framework developed by the Barcelona-based firm Variston IT, which was first detailed last year.

Thousands of companies targeted in 3CX supply chain attack

Multiple cybersecurity firms are warning about an ongoing supply chain attack involving a trojanized version of 3CXDesktopApp used to spread a malicious payload. The threat actor behind this campaign has been observed targeting Windows and macOS users of the compromised 3CX app.

According to SentinelOne researchers, the trojanized 3CXDesktopApp is the first stage in a multi-stage attack chain that pulls ICO files appended with base64 data from GitHub and ultimately leads to the download of a third-stage infostealer DLL. CrowdStrike researchers suspect that a North Korean state-sponsored hacker group they track as Labyrinth Collima (aka Lazarus Group, APT38, UNC4034, and Zinc) is responsible for this attack.

3CX has confirmed the incident and said it is working on a clean desktop client version. For now, 3CX recommended that customers use its web-based PWA app.

Apple backports fixes for recent WebKit zero-day to older iPhones, iPads

Apple released security updates to backport fixes for a recently patched WebKit zero-day vulnerability to older iPhone and iPad models.

Tracked as CVE-2023-23529, the bug is a type confusion issue in the WebKit browser engine that can be used by a remote attacker to achieve remote code execution by tricking a victim into visiting a specially crafted website. This type confusion issue was addressed with improved checks.

The update is available for: iOS 15.7.4 and iPadOS 15.7.4 for iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation).

Microsoft shares guidance on detecting Outlook zero-day exploited by Russian hackers

Microsoft has released a detailed guide to help organizations detect the signs of abuse of a recently patched Outlook zero-day vulnerability said to have been exploited in attacks by Russia-linked state-sponsored hackers.

Tracked as CVE-2023-23397, the vulnerability is an elevation of privilege issue that allows a remote attacker to compromise the vulnerable system.

Ukrainian police dismantles cybercrime gang that stole $4.3 million

Ukrainian cyberpolice in coordination with a law enforcement agency from the Czech Republic have arrested members of a cybercrime gang that defrauded over a thousand victims in France, Spain, Poland, the Czech Republic, Portugal, and other European countries of nearly $4.3 million (₴160 million).

The scammers created more than 100 phishing sites targeting users across the EU, which lured victims by offering goods below market prices. The fraudsters used the stolen data to make online purchases using other people's credit cards.

NCA creates fake DDoS-for-hire sites to collect data on cybercriminals

UK National Crime Agency (NCA) said it was running a number of websites purporting to offer DDoS-for-hire services to infiltrate the cybercriminal underground.

According to the agency, all of the bogus sites, which have so far been accessed by around several thousand people, have been created to look like they offer the tools and services that enable cyber criminals to execute DDoS attacks. However, users who registered for the sites were not given access to cybercrime tools but instead had their data collated by investigators.

SafeMoon crypto project lost $8.9million in a hack

BNB chain-based exchange SafeMoon lost $8.9 million worth of cryptocurrency assets after an attacker exploited a “public burn bug” in its platform. The hacker was able to artificially raise the price of SFM tokens and then sell them back to the liquidity pool.

Europol warns about potential criminal abuse of ChatGPT

The European Union's law enforcement agency Europol warned about the potential misuse of artificial intelligence-powered OpenAI’s chatbot ChatGPT in phishing attempts, disinformation and cybercrime. While all of the information ChatGPT provides is already available on the internet, the model makes it easier to find and understand how to carry out specific crimes. The agency also highlighted that ChatGPT could be exploited to impersonate targets, facilitate fraud and phishing, or produce propaganda and disinformation to support terrorism.

GitHub’s RSA SSH host key briefly exposed in public repository

Microsoft-owned GitHub said it replaced its RSA SSH private key after it was briefly exposed in a public repository. The company said that the exposure was not a result of a breach, but rather the key was published accidentally. GitHub also added that it has no reason to believe that the exposed key was abused and that the steps were taken “out of an abundance of caution.”

Parts of Twitter’s source code reportedly leaked online

Some portions of Twitter’s source code have been leaked on GitHub, according to court filings. Twitter asked GitHub, a collaborative programming network, to take down the offending code citing copyright infringement. GitHub complied and took down the code that day. It was unclear how long the leaked code had been online, but it appeared to have been public for at least several months.

Earlier this week, the US District Court for the Northern District of California has issued a subpoena to Github compelling it to identity GitHub user “FreeSpeech Enthusiast,” including “name(s), address(es), telephone number(s), email address(es), social media profile data, and IP address(es), for the user(s) associated with.”

Australian loan giant Latitude Financial says data breach impacted 14M customers

Latitude Financial Services, Australia's biggest non-bank lender, has revealed that the extent of a data breach it suffered earlier this month is more significant than initially estimated. The company initially reported that the number of impacted customers was 328,000, but now confirmed that the real number of affected individuals is 14 million, including customers, past customers and applicants across Australia and New Zealand.

The stolen data includes 7.9m Australian and New Zealand driver’s license numbers, 53,000 passport numbers, and financial statements, and around 6.1 million records dating back to at least 2005. The records include names, addresses, phone numbers and dates of birth.

Toyota Italy leaked sensitive data for over 1.5 years

Toyota Italy, Toyota Motor's Italian sales and marketing arm, for more than one-and-a-half years exposed secrets for its Salesforce Marketing Cloud and Mapbox APIs. The leak came to light in mid-February 2023, when the researchers discovered an environment file (.env) hosted on the official Toyota Italy website, exposing credentials to the digital marketing platform Salesforce Marketing Cloud.

This could allow malicious actors to gain access to phone numbers and email addresses, customer tracking information, and email, SMS, and push-notification contents and use this data for various purposes like sending bogus SMS messages and emails, or editing marketing campaigns and content tied with the Salesforce Marketing Cloud.

China-linked Winnti APT adds new ‘Melofee’ Linux implant to its arsenal

Researchers with French cybersecurity firm ExaTrack shared their findings on a new Linux implant named ‘Melofee’ they have linked to the Chinese cyber-espionage group Winnti. The implant is installed using shell commands and includes a kernel mode rootkit, which is a modified version of the open source project Reptile with limited set of features, mainly installing a hook designed for hiding itself.

Russian Winter Vivern hackers use known Zimbra flaw to target NATO-Aligned governments in Europe

Proofpoint says that a Russian hacking group tracked as Winter Vivern (aka TA473), has been actively exploiting vulnerabilities (CVE-2022-27926) in unpatched Zimbra endpoints since February 2023 to steal the emails of NATO officials, governments, military personnel, and diplomats involved in the Russia Ukrainian War.

The threat actor utilizes scanning tools like Acunetix to identify unpatched webmail portals and then send phishing emails purporting to be relevant benign government resources. The malicious email contains a link to malicious URLs that abuse known vulnerability to execute JavaScript payloads within victim’s webmail portals.

North Korean APT43 uses cybercrime to support cyber-espionage operations

Cybersecurty firm Mandiant has shed some light on cyber activities of a new espionage group it tracks as APT43 that has been targeting government organizations, academics, and think tanks in the United States, Europe, Japan, and South Korea since 2018.

APT43’s most common attack method is using tailored spear-phishing emails to gain access to their victim’s information. The group also uses spoofed websites designed to steal credentials. While APT43 maintains a high tempo of activity and is prolific in its phishing and credential collection campaigns, the researchers said they didn’t observe the group exploiting zero-day vulnerabilities.

New AlienFox malware steals credentials for multiple cloud services

Security researchers at SentinelOne discovered a new modular toolkit called ‘AlienFox’ allows threat actors to scan for misconfigured servers to steal authentication secrets and credentials for cloud-based email services.

Threat actors use AlienFox to collect lists of misconfigured hosts from security scanning platforms, including LeakIX and SecurityTrails. They use multiple scripts in the toolset to extract sensitive information such as API keys and secrets from configuration files exposed on victims’ web servers. The researchers said they found scripts targeting tokens and secrets from 18 cloud services, including 1and1, AWS, Bluemail, Exotel, Google Workspace, Mailgun, Mandrill, Nexmo, Office365, OneSignal, Plivo, Sendgrid, Sendinblue, Sparkpostmail, Tokbox, Twilio, Zimbra, and Zoho.

Back to the list

Latest Posts

Cyber Security Week in Review: May 24, 2024

Cyber Security Week in Review: May 24, 2024

In brief: Google fixes Chrome zero-day, a backdoor found in JAVS software, and more.
24 May 2024
Chinese APTs increasingly using ORB networks to mask attack infrastructure

Chinese APTs increasingly using ORB networks to mask attack infrastructure

Mandiant reports that it is actively monitoring several ORB networks, with the most notable being SPACEHOP and FLORAHOX.
23 May 2024
Threat actors exploit vulnerable drivers to disable EDRs in cryptojacking attack

Threat actors exploit vulnerable drivers to disable EDRs in cryptojacking attack

Ghostengine deploys several modules to tamper with security tools, establish a backdoor, and ensure software updates are in place.
22 May 2024