A zero-day flaw in MOVEit file transfer protocol used for data theft

Hackers are mass exploiting a zero-day vulnerability in Progress Software’ MOVEit MFT (Managed File Transfer), a popular file transfer protocol used by thousands of major companies worldwide.

The flaw, which currently does not have a CVE identifier, has been described as an SQL injection vulnerability that could lead to escalated privileges and potential unauthorized access to the environment. All MOVEit Transfer versions are said to be affected. The software maker has released MOVEit Transfer 2023.0.1, 2022.1.5, 2022.0.4, 2021.1.4, and 2021.0.6 to address the issue. The company urged customers to disable all HTTP and HTTPs traffic to their MOVEit Transfer environment.

According to security researchers, hackers have been exploiting the flaw for at least a month to steal data. Rapid7 said it has noticed an uptick in cases of compromise linked to the flaw since it was disclosed. As of May 31, there were roughly 2,500 instances of MOVEit Transfer exposed to the public internet, the majority of which appear to be in the US.

Successful exploitation attempts result in the deployment of a web shell, a file named “human2.aspx” in the “wwwroot” directory that's created via script with a randomized filename, to “exfiltrate various data stored by the local MOVEit service.”

Currently, it’s unclear how many organizations suffered breaches related to this vulnerability.

250+ Gigabyte motherboard models come with firmware backdoor

Cybersecurity research firm Eclysium said it discovered backdoor-like behavior in Gigabyte's firmware that puts at risk hundreds of motherboard models made by Taiwanese tech giant.

The anomaly was first detected in April 2023. A follow-up analysis discovered that firmware in Gigabyte systems is dropping and executing a Windows native executable during the system startup process, and this executable then downloads and executes additional payloads insecurely. The Windows executable is embedded into UEFI firmware and written to disk by firmware as part of the system boot process.

Eclysium notes that firmware downloads occasionally happen over HTTP instead of HTTPS, and hackers could take advantage of insecure connection between the user’s system and Gigabyte servers to carry out a Man-in-the-Middle (MitM) attack. However, currently, there's no evidence that the backdoor was used for malicious purposes.

Hackers had been exploiting Barracuda zero-day since fall 2022

US-based email and network security solutions provider Barracuda Networks said that threat actors had been exploiting a recently patched zero-day vulnerability in its Email Security Gateway (ESG) appliances since October 2022 to backdoor devices.

Tracked as CVE-2023-2868, the flaw is an OS command injection issue that can be exploited by a remote hacker to execute arbitrary Perl commands on the target system.

The attack involved three trojanized modules - Saltwater, Seaspy, and Seaside - used for maintaining access to compromised systems and receive commands from C&C server.

Zyxel network devices being mass exploited to spread Mirai botnet

A new Mirai malware variant is targeting a recently patched vulnerability in Zyxel firewall appliances to compromise the devices and ensnare them into the botnet. Tracked as CVE-2023-28771, the bug is an OS command injection issue that allows remotely execute OS commands on the target device by sending specially crafted packets. Zyxel released a firmware update (version 5.36) back in March to address the security issue.

Hackers are hunting for exposed Apache NiFi instances for cryptomining

Researchers at the SANS Internet Storm Center warned that threat actors are actively scanning the internet for unprotected Apache NiFi instances to ensnare them into a cryptocurrency mining botnet. The attackers either install a cryptocurrency miner (Kinsing), or perform lateral movement by searching the server for SSH credentials.

New Go-based GobRAT malware targets Linux routers

Japan’s Computer Security Incident Response Team (JPCERT/CC) published a technical analysis of a new Golang-based remote access trojan called ‘GobRAT’ observed in a series of attacks against Linux routers in Japan in February 2023.

Ukraine’s CERT warns of a new wave of SmokeLoader attacks

Ukraine’s Computer Emergency Response Team (CERT-UA) said it detected a new phishing campaign by the UAC-0006 threat actor delivering the SmokeLoader malware. The team notes that UAC-0006, which is characterized as a financially motivated operation, has changed some of its TTPs (tactics, techniques, and procedures), including the use of multiple infection methods, and the Cobalt Strike Beacon tool, indicating that the threat actor is expanding its malware arsenal.

US, South Korea issue a warning about North Korea’s Kimsuky cybercrime group

US and South Korean intelligence agencies released a new security advisory detailing North Korean threat actor Kimsuky’s use of social engineering tactics to compromise think tanks, academia, and news media sectors. The agencies say that the group is also involved in stealing info used by the DPRK's satellite program.

Free VPN provider SuperVPN exposes 360 million user records

SuperVPN, a popular free VPN service provider, suffered a massive data breach exposing more than 360 million user records. In total, 133GB of sensitive data including user email addresses, original IP addresses, and geolocation information is said to have been exposed in the leak. Additionally, the leaked details included secret keys, Unique App User ID numbers, and UUID numbers.

War in Ukraine blurred lines between cybercrime and APT attacks

Trend Micro released a report on Void Rabisu (Tropical Scorpius), a financially motivated threat group linked to the RomCom malware strain and the Cuba ransomware. The researchers note that the threat actor has significantly changed its mode of operation since October 2022, deploying RomCom in a series of geopolitically motivated attacks linked to the Russo-Ukrainian war.

Emby shuts down some user media servers after hacker attack

Software company Emby remotely shut down some user-based media server instances after a threat actor exploited a known vulnerability to hijack systems. The attacks have been going on since mid-May 2023, with the attacker breaching internet-facing user-hosted Emby servers with an insecure configuration for administrative user accounts. The attacker used a recently fixed flaw described as the “Proxy Header Vulnerability” to install a malicious plugin designed to steal login credentials.

The Emby team developed a firmware update to scan for the malicious plugin and shut down systems where it was found.

‘Exposed’ hacker forum leaks registration data of almost 500,000 RaidForum users

A database containing registration information of 478,000 members of the now-defunct RaidForums hacker forum has been leaked on a new cybercriminal forum called ‘Exposed.’

The leaked data includes usernames, email addresses, hashed passwords, registration dates, and a variety of other information related to the forum software. According to cybersecurity firm KELA, 63% of users were inactive in terms of posting, and 70% of users were registered using a Gmail account.

Ukraine’s cyberpolice bust fraudsters who scammed victims in Israel

Ukrainian cyberpolice shut down an underground call center that defrauded residents of Israel posing as law enforcement officers or bank employees. The police have arrested a 40-year-old Ukrainian national believed to be a mastermind behind the scheme that caused an estimated loss of 5 million hryvnias (~$136,000).

XE Group cybercrime gang unmasked

Researchers at cybersecurity firm Menlo Security published a report on XE Group, a Vietnamese cybercrime group said to have stolen over $30 million from US-based corporations. Active since at least 2013, the threat actor uses numerous attack techniques such as supply chain attacks similar to Magecart (involve injecting credit card skimmers into web pages), creating fake websites to deceive users into revealing their personal information, and selling stolen data on the dark web.

Jimbos Protocol lost $7.5M in a hack

Jimbos Protocol, a liquidity protocol within the Arbitrum ecosystem, was hit with a flash loan attack over the weekend that led to the loss of 4,000 Ethereum (ETH) tokens approximately worth $7.5 million. The attacker appears to have exploited a flaw in the protocol's code to carry out a flash loan. The hacker took advantage of the lack of slippage control on liquidity conversions in the Jimbos Protocol system that allowed them to execute reverse swaps for a profit.

The exploiter withdrew 4,090 ETH from the Arbitrum network and subsequently used bridges such as Stargate and Celer Network to convert approximately 4,048 ETH into the Ethereum network.

Lawtech platform Casepoint hit with BlackCat ransomware

Casepoint, a legal technology platform used by multiple US government entities, has been added to a list of victims on a dark web data leak website run by Russia-linked ransomware cartel BlackCat (aka ALPHV). The group claims to have stolen 2TB of sensitive data from Casepoint. As proof the cybercrooks posted some samples of allegedly stolen information, including what appears to be visa details, a report and a certificate.

In related news, IBM Security X-Force said it spotted a new version of the BlackCat ransomware dubbed “Sphynx”. First introduced in February 2023, the new version comes with updated capabilities to evade detection.

PyPI to enforce 2FA for publishers to prevent account takeover

The Python Software Foundation, the official third-party open-source repository for Python projects, announced it will require that every account that maintains any project or organization on PyPI enable two-factor authentication (2FA) on their account by the end of this year.

The move comes following multiple incidents involving malicious Python packages delivering malware and aims to improve the supply chain security of the Python ecosystem.

More recently, cybersecurity firm ReversingLabs detected a new attack involving a malicious Python library available through the official PyPI portal that used Python byte code (PYC) files to evade detection. This appears to be the first known case of a threat actor using PYC files to hide malicious content.