11 August 2023

Cyber Security Week in Review: August 11, 2023


Cyber Security Week in Review: August 11, 2023

Microsoft fixes two actively exploited bugs

Microsoft released its August 2023 Patch Tuesday security updates addressing almost 90 vulnerabilities, including two flaws listed as being under active exploitation.

The first issue tracked as CVE-2023-36884 is an Office and Windows HTML remote code execution vulnerability said to have been exploited by the RomCom (aka Storm-0978 and DEV-0978) hacking group in targeted attacks aimed at defense and government entities in Europe and North America. This bug was disclosed back in July but didn’t receive a patch at the time.

The second actively exploited issue is CVE-2023-38180, a .NET and Visual Studio Denial of Service vulnerability that can allow a remote hacker to carry out a denial of service (DoS) attack by sending specially crafted input to the application. Microsoft did not share any details regarding attacks exploiting this vulnerability.

Gafgyt botnet malware is actively targeting a 2017 Zyxel router flaw

Fortinet says it observed thousands of Gafgyt malware attacks targeting an old command injection vulnerability (CVE-2017-18368) affecting the end-of-life Zyxel P660HN-T1A router. Although Zyxel provided a patch for the bug back in 2017, many devices still remain vulnerable.

Downfall and Inception: Researchers reveal new side-channel attacks on modern CPUs

Security researchers revealed details of new side-channel attacks named Downfall (CVE-2022-40982), and Inception (CVE-2023-20569) that allow to leak data from modern processors.

Downfall attacks exploit a vulnerability present in billions of modern processors used in personal and cloud computers. This issue allows a user to access and steal data from other users sharing the same computer. For instance, a malicious app obtained from an app store could use the Downfall attack to steal sensitive information like passwords, encryption keys, and private data such as banking details, personal emails, and messages.

Intel has categorized Downfall (aka GDS) as a medium severity flaw that could lead to information disclosure. The company is releasing a microcode update to address the flaw, although it should be noted that it may cause a 50% performance reduction.

The Inception technique allows a local attacker to leak potentially sensitive data, such as passwords or encryption keys, from the memory of a computer powered by an AMD Zen processor.

The attack method combines the previously known Phantom speculation method, with a new form of transient execution attack called Training in Transient Execution (TTE).

AMD has acknowledged the flaw, stating that it is potentially exploitable only locally, such as through downloaded malware. The company has released microcode updates to mitigate the risk.

Interpol shuts down ‘16shop’ phishing-as-a-service platform used by scammers

Interpol and partners have dismantled the ‘16shop’ phishing-as-a-service platform that sold tools that allowed cybercriminals to conduct phishing attacks aimed at stealing victims’ personal and financial information. The Indonesian authorities arrested two suspects linked to 16shop, including an alleged platform’s administrator. Another associate was arrested in Japan. Electronic items and several luxury vehicles were also seized.

In related news, Interpol announced that a crackdown on West African cybercrime groups has resulted in 103 arrests and the seizure of more than 2 million euro.

More than 200 bank accounts linked to the illicit proceeds of online financial crime were blocked during the operation and several kingpins arrested whose crime networks are considered a serious global security threat.

US and Poland shut down Lolek Hosted bulletproof hosting platform

US and Polish authorities have seized the domain of the Lolek bulletproof hosting provider that has been in operation since 2009.

New York ‘crypto’ couple pleads guilty to laundering 120K Bitcoin stolen in 2016 Bitfinex hack

A married couple from New York dubbed “Bitcoin Bonnie and Crypto Clyde” admitted to laundering billions of dollars in bitcoin stolen during the 2016 Bitfinex hack. The authorities say Lichtenstein used “a number of advanced hacking tools and techniques to gain access to Bitfinex’s network.” From there, he made over 2,000 transactions transferring 119,754 bitcoin from the cryptocurrency exchange Bitfinex to his crypto wallet.

Ilya Lichtenstein pleaded guilty to conspiracy to commit money laundering, which carries a maximum penalty of 20 years in prison. Morgan pleaded guilty to one count of money laundering conspiracy and one count of conspiracy to defraud the US, each of which carries a maximum penalty of five years in prison.

Criminals use EvilProxy phishing tool to take over corporate executives’ accounts

Threat actors are using the EvilProxy phishing platform to bypass multifactor authentication (MFA) protections in the Microsoft 365 accounts belonging to high-level corporate executives at prominent firms. Over the past six months, researchers observed a substantial rise of over 100% in successful cloud account takeover incidents impacting high-level executives, with more than 100 companies targeted globally.

UK's Electoral Commission says hackers had access to its systems for more than a year

The UK's Electoral Commission revealed it was hacked by “hostile actors” who gained access to electoral registers, suggesting that the personal data of tens of millions of voters could have been stolen.

The intrusion began in August 2021, however, the breach was detected only in October 2022, after the watchdog noticed suspicious activity on its systems. According to the commission, the attackers gained access to the email servers, the control systems, and copies of the electoral registers containing information on the UK citizens who registered to vote between 2014 and 2022, as well as the names of those registered as overseas voters.

Ukraine thwarts Sandworm attack targeting military systems

Ukraine’s security services have foiled an attempt by Russian state-backed Sandworm APT to compromise the combat data exchange system of the Armed Forces of Ukraine.

The group attempted to infect Ukraine’s military network with nearly ten variants of custom malware ranging from Android remote access trojans and Mirai variants to backdoors designed to collect data from Ukraine's Starlink satellite connections.

The goal of the operation was to gather intelligence on the Ukrainian military's operations, technical provisions and movements. This was intended to achieve by capturing tablets used by the Ukrainian military on the battlefield. Through these tablets the threat actor wanted to gain access to other connected devices and infect them with malware.

Chinese hackers reportedly breached Japan’s classified defense systems

Chinese nation-state hackers reportedly breached Japan's classified defense network in 2020 in what was described as one of the most harmful hacks in Japan's modern history.

As per the Washington Post, the intruders had deep, persistent access and appeared to be after anything they could get their hands on — plans, capabilities, and assessments of military shortcomings. The hacks that began under the Trump administration and continued into the Biden administration were detected by the US National Security Agency (NSA) and were reported to Japanese government officials.

China’s RedHotel APT targeted at least 17 countries since 2021

Recorded Future’s Insikt Group released a report detailing cyber espionage operations of a China-linked threat actor tracked as RedHotel, Charcoal Typhoon and Bronze University. RedHotel, which has been linked by researchers to China’s Ministry of State Security, has a dual mission of intelligence gathering and economic espionage. It targets both government entities for traditional intelligence and organizations involved in COVID-19 research and technology R&D.

The researchers said that they have found evidence that the group is operating from Chengdu, Sichuan Province, China.

North Korean cyber spies hacked sanctioned Russian missile engineering firm

Two separate North Korea-affiliated threat actors compromised the internal systems of the major Russian missile engineering company NPO Mashinostroyeniya, sanctioned by the US authorities in 2014 in response to Russia’s continued attempts to destabilize eastern Ukraine and its ongoing occupation of Crimea.

Researchers at SentinelLabs said they identified two instances of North Korea-related breaches of sensitive internal IT infrastructure within NPO Mashinostroyeniya, including a Linux email server compromise, and the deployment of a Windows backdoor dubbed OpenCarrot.

The breach of the email server was linked to a threat actor known as ScarCruft, APT37, Inky Squid or Temp.Reaper, while the OpenCarrot backdoor was previously linked to the Lazarus Group hackers. The attacks were first spotted in mid-May 2022.

Hackers targeting Ukrainian orgs with MerlinAgent info stealer

The Computer Emergency Response Team of Ukraine (CERT-UA) shared Indicators of Compromise related to a new information-stealing campaign targeting Ukraine’s government entities involving the open-source MerlinAgent malware.

MustacheBouncer hackers target foreign diplomats in Belarus

ESET researchers discovered a long-running cyber espionage campaign by a previously undocumented threat actor named ‘MustacheBouncer’ targeting foreign embassies in Belarus. The group has been active since at least 2014 and is exclusively focused on foreign diplomatic missions in Belarus.

According to ESET, MoustachedBouncer has used the adversary-in-the-middle technique (using a lawful interception system such as SORM) since 2020 to redirect captive portal checks to a command-and-control server and deliver malware plugins via SMB shares. The group’s arsenal includes two malware frameworks named NightClub and Disco (both tools support additional spying plugins including a screenshotter, an audio recorder, and a file stealer) and appears to closely cooperate with the Russia-aligned Winter Vivern cyber espionage outfit.

CISA discovered yet another backdoor used in Barracuda email attacks

The US Cybersecurity and Infrastructure Security Agency (CISA) released a malware analysis report on yet another backdoor malware named “Whirlpool” used in attacks on compromised Barracuda Email Security Gateway (ESG) devices.

Whirlpool is a backdoor that establishes a Transport Layer Security (TLS) reverse shell to the command-and-control server.

Back to the list

Latest Posts

UAC-0185 targets Ukrainian defense forces and defense industry sector

UAC-0185 targets Ukrainian defense forces and defense industry sector

The emails included a malicious link, clicking on which triggered the download of malware.
9 December 2024
New malware botnet Socks5Systemz powers illegal proxy service

New malware botnet Socks5Systemz powers illegal proxy service

The botnet relies on loaders like PrivateLoader, SmokeLoader, and Amadey to persist on compromised systems.
9 December 2024
A new technique can bypass existing isolation mechanisms in modern browsers

A new technique can bypass existing isolation mechanisms in modern browsers

The method works across all types of browser isolation.
9 December 2024