8 September 2023

Cyber Security Week in Review: September 8, 2023


Cyber Security Week in Review: September 8, 2023

US, UK sanction 11 Russian linked to Trickbot, Conti gangs

The US and UK governments sanctioned 11 Russian nationals allegedly connected to the notorious Trickbot cybercrime group.

The sanctioned Russians were named as Andrey Zhuykov, Maksim Galochkin, Maksim Rudenskiy, Mikhail Tsarev, Dmitry Putilin, Maksim Khaliullin, Sergey Loguntsov, Vadym Valiakhmetov, Artem Kurov, Mikhail Chernov and Alexander Mozhaev.

The US Treasury Department’s Office of Foreign Assets Control (OFAC) took action against 7 individuals, while the US Department of Justice charged nine suspects associated with the Trickbot and Conti gangs with conspiring to use the Trickbot malware to steal money and sensitive data from victims, including businesses and financial institutions across the globe, beginning in November 2015.

CL0P ransomware hit 377 different orgs between January and August 2023

Threat intelligence analysts at Falconfeeds.io published a deep-dive into modus operandi and attack methods used by the prolific Russia-linked ransomware outfit Cl0P responsible for multiple high-profile attacks worldwide, including widespread MoveIt hacks that affected hundreds of organizations.

First spotted in 2019, CL0P ransomware is frequently linked to the financially motivated threat actor FIN11 (also known as TA505 and Snakefly). CL0P is believed to be the successor to FIN11’s CryptoMix ransomware, which is a cross between the CryptXXX and CryptoWall ransomware strains.

Apple fixes two zero-days used to infect iPhones with spyware

Apple has released security updates to address two zero-day vulnerabilities said to have been exploited by hackers. Tracked as CVE-2023-41064 and CVE-2023-41061, the flaws reside in the ImageIO and Wallet components.

According to internet watchdog The Citizen Lab, the two bugs were exploited as part of a zero-click iMessage exploit chain named BLASTPASS that was used to deploy the infamous Pegasus spyware onto fully-patched iPhones (running iOS 16.6) via PassKit attachments with malicious images.

Google fixes actively exploited Android zero-day

Google released Android’s September 2023 security updates containing patches for more than 30 vulnerabilities, including a zero-day flaw under active exploitation. The zero-day vulnerability (CVE-2023-35674) is an input validation issue in the Framework component, which can be exploited for remote code execution.

Nation-state hackers exploit Fortinet and Zoho bugs

US Cyber Command’s Cyber National Mission Force, Cybersecurity and Infrastructure Security Agency, and the Federal Bureau of Investigation released a joint security alert warning that multiple government-backed hackers exploit vulnerabilities in Zoho ManageEngine ServiceDesk Plus (CVE-2022-47966) and Fortinet firewalls (CVE-2022-42475) to compromise targeted organizations.

North Korean hackers target security researchers with new zero-day

Google's Threat Analysis Group (TAG) has warned that North Korea-linked threat actors are targeting security researchers in a new campaign using at least one zero-day vulnerability.

As in the past similar campaigns, the threat actors used social media platforms like X (formerly Twitter) to build rapport with their targets. After initial contact via X, they move to an encrypted messaging app such as Signal, WhatsApp or Wire. Once a relationship is developed with a target, the threat actors would send a malicious file containing at least one 0-day in a popular software package.

Google researchers didn’t share any details regarding the zero-day bug used in the attacks, apart from saying that the vulnerability has been reported to the affected vendor and is in the process of being patched.

North Korean hackers go after Russian targets, China tries to sway US voters, Microsoft says

Multiple North Korean threat actors have recently targeted the Russian government and defense industry, while simultaneously providing materiel support for Russia in its war in Ukraine, Microsoft said in a new report. In March 2023, a North Korean threat actor known as Ruby Sleet (aka Ricochet Chollima) compromised an aerospace research institute in Russia. Additionally, Onyx Sleet (Plutonium) compromised a device belonging to a university in Russia in early March.

In a separate attack, a threat actor tracked as Opal Sleet (Osmium) sent phishing emails to accounts belonging to Russian diplomatic government entities during the same month. North Korean threat actors may be capitalizing on the opportunity to conduct intelligence collection on Russian entities due to the country’s focus on its war in Ukraine, Microsoft noted.

The company also said it found what they believe is a network of fake, Chinese-controlled social media accounts seeking to influence US voters by using artificial intelligence.

In a separate blog post, Microsoft shared additional information about the July hack by the Chinese threat actor Storm-0558 that compromised email accounts belonging to 25 organizations, including some related individual consumer accounts and government agencies in Western Europe and the US.

The company said that the attackers stole the signing key from a Windows crash dump after compromising a Microsoft engineer’s corporate account. The tech giant discovered that the MSA key was accidentally leaked into a crash dump after a consumer signing system crashed in April 2021.

Russian hackers target Ukraine’s energy infrastructure in a new series of attacks

The Computer Emergency Response Team of Ukraine (CERT-UA) shared technical details and Indicators of Compromise associated with a recently observed attack on the country’s energy infrastructure facility orchestrated by a Russian military hacking unit widely known as APT28, Fancy Bear or Strontium.

An analysis revealed that the threat actor used the file.io tool to download the Tor software and set up a hidden service to route the data through the network to local hosts. The attackers also used a legitimate service called webhook.site for remote command execution, as well as LOLBAS (Living Off The Land Binaries And Scripts) techniques to bypass security solutions

Thousands of popular websites leak source code, secrets

4,500 of the most visited websites in the world publicly exposed their git directory, code security firm Truffle Security has found. A .git directory includes all the information necessary for a project, including code commits, file paths, version control information, and more.

The company said that AWS and GitHub keys accounted for 45% of all exposed credentials, and 67% of GitHub credentials had admin access.

Hackers use Advanced Installer Windows tool to infect computers of graphic designers with crypto miners

Cisco’s Talos threat research team uncovered a new malicious campaign targeting French-speaking architects, engineers and graphic designers with cryptocurrency mining malware.

The campaign uses a legitimate Windows tool called Advanced Installer to package other legitimate software installers, such as Adobe Illustrator, Autodesk 3ds Max and SketchUp Pro, with malicious scripts and uses Advanced Installer's Custom Actions feature to make the software installers execute the malicious scripts.

Threat actors exploit flaws in MinIO storage system to commandeer servers

Malicious actors are abusing two recently disclosed flaws in the MinIO Object Storage solution to breach object storage systems to achieve unauthorized code execution on impacted servers. The attackers used a publicly available exploit chain to backdoor a MinIO instance. The exploit chain involves two vulnerabilities tracked as CVE-2023-28432 and CVE-2023-28434, the former of which is an information disclosure issue, while the latter is a privilege escalation flaw.

Cryptocurrency casino Stake hacked for $41 million

The world’s largest cryptocurrency casino and sportsbook platform Stake suffered a security breach on September 4 that saw more than $41 million in crypto assets stolen from its hot wallets. It appears that the attacker gained access to the hot wallets using a leaked private key and stole a total of $16 million worth of Ethereum, $17.8 million across the Binance Smart Chain, and $7.8 million in Polygon. The threat actor then converted the stolen funds into Ethereum and transferred crypto coins to multiple external cryptocurrency wallets.

Mozilla says major car brands are privacy nightmare on wheels

Most major car manufacturers fail to meet the most basic privacy and security standards in new internet-connected models. Mozilla said that all 25 major car brands it examined failed the privacy test. The organization found that popular brands, including BMW, Ford, Toyota, Tesla, Kia, and Subaru, can collect highly sensitive personal information like sexual activity, immigration status, race, facial expressions, weight, health and genetic information, as well as where the car owner drives.

Hacktivists expose Belarusian Red Cross’ involvement in kidnapping children from Ukraine

Belarusian hacktivist group known as “Cyber Partisans” said they have hacked the Belarusian branch of the Red Cross (BRC) organization and have stolen internal documents showing the BRC’s collaboration with the regime of self-proclaimed President of Belarus Alexander Lukashenko and the chapter’s involvement in the abduction of children from Ukraine.

Some of the published documents reference children from the city of Lysychansk in Ukraine's Luhansk region currently occupied by Russian forces who were moved without their parents to the city of Novopolotsk in Belarus in December 2022.

Hackers exploit poorly secured MS SQL servers to spread FreeWorld ransomware

Hackers are targeting vulnerable Microsoft SQL Server (MSSQL) databases using brute-force attacks to deliver ransomware and Cobalt Strike payloads. The attacks are said to be part of the DB#JAMMER campaign, which stands out for its high level of sophistication in terms of the attacker's use of tooling infrastructure and payloads.

Multiple Okta customers compromised in a phishing campaign

Multiple US-based customers of identity and access management company Okta have been compromised in a series of phishing attacks aiming to obtain elevated administrator permissions. The attackers used compromised Okta Super Administrator accounts to impersonate users within targeted organizations.

The attacks are believed to have been orchestrated by a financially motivated threat actor known as Scattered Spider, UNC3944, Scatter Swine, and Muddled Libra, which has been around since May 2022.

Back to the list

Latest Posts

UAC-0185 targets Ukrainian defense forces and defense industry sector

UAC-0185 targets Ukrainian defense forces and defense industry sector

The emails included a malicious link, clicking on which triggered the download of malware.
9 December 2024
New malware botnet Socks5Systemz powers illegal proxy service

New malware botnet Socks5Systemz powers illegal proxy service

The botnet relies on loaders like PrivateLoader, SmokeLoader, and Amadey to persist on compromised systems.
9 December 2024
A new technique can bypass existing isolation mechanisms in modern browsers

A new technique can bypass existing isolation mechanisms in modern browsers

The method works across all types of browser isolation.
9 December 2024