15 September 2023

Cyber Security Week in Review: September 15, 2023

Cyber Security Week in Review: September 15, 2023

Microsoft fixes nearly 60 flaws, including two zero-days

Microsoft released its monthly batch of security updates that address nearly 60 security vulnerabilities in various products, including two zero-day issues under active exploitation. One of the exploited zero-days is CVE-2023-36761, an information disclosure issue in MS Word that allows a remote attacker to gain access to potentially sensitive information by tricking a victim into opening a specially crafted file and obtaining the NTLM hash of the current account.

The second zero-day (CVE-2023-36802) has been described as a privilege escalation bug in Microsoft Streaming Service Proxy that can be used by a local attacker to execute arbitrary code with SYSTEM privileges.

In related news, Adobe has also released security updates to patch a zero-day vulnerability in Acrobat and Reader said to have been exploited in hacker attacks. The vulnerability is tracked as CVE-2023-26369 and can let attackers gain remote code execution by tricking a victim into opening a malicious PDF file.

In addition, Mozilla has rushed to patch a zero-day vulnerability (CVE-2023-4863) in Firefox and Thunderbird software that has been actively exploited in the wild, a day after Google released a fix for the same issue in its Chrome browser.

Cisco releases interim workaround for a VPN zero-day exploited by Akira, LockBit ransomware

The networking giant Cisco issued an interim workaround to address a zero-day vulnerability exploited by the Akira and LockBit ransomware operations while it’s working on a full patch.

Tracked as CVE-2023-20269, the vulnerability exists in the remote access VPN feature of Cisco's Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software stacks. The issue stems from the improper separation of authentication, authorization, and accounting between the remote VPN feature, the HTTPS management, and site-to-site VPN features. The flaw can be used by a remote hacker to perform a brute-force attack and establish a clientless SSL VPN session with an unauthorized user.

Crypto exchange CoinEx hacked, millions in cryptocurrencies stolen

Hong Kong-based cryptocurrency exchange CoinEx Global was hit by a cyberattack, resulting in an estimated loss of $54 million in cryptocurrencies. The attack took place on September 12, 2023, and affected CoinEx’s Ethereum, TRON, and Polygon wallets. Blockchain investigators have linked the theft to the North Korean Lazarus state-sponsored hacker group previously blamed for multiple high-profile crypto thefts such as the $41 million Stake hack, the $100 million Harmony Bridge hack and the $622 million Ronin Network heist.

Scattered Spider cybercrime group linked to MGM Resorts breach

A financially motivated cybercrime group known as Scattered Spider has reportedly been behind the recent cyberattack on the casino and hotel chain MGM Resorts International. Until recently, Scattered Spider has been known primarily for data theft extortion without ransomware deployment, but new evidence suggests that the gang has gone for the ALPHV/BlackCat ransomware-as-a-service operation.

Meanwhile, the ALPHV ransomware group took credit for the hack claiming that it took only 10 minutes to execute the attack. In a subsequent statement, the group said that they encrypted more than 100 ESXi servers after MGM Resorts took down its internal infrastructure, as well as exfiltrated data from the network. The gang also said they maintain access to some of the company’s infrastructure and are threatening to carry out new attacks unless a ransom is paid.

Another casino operator, Caesars Entertainment, has confirmed it had been hacked and paid tens of millions of dollars to cyber crooks who threatened to leak its data. It appears that Scattered Spider was behind this breach as well.

FBI hacker leaks Airbus data

A malicious actor known as USDoD has posted the data of 3,200 Airbus vendors and employees on an underground hacking forum. The exposed data includes names, addresses, phone numbers, and email addresses. USDoD claimed they obtained the data by using passwords stolen from a Turkish airline employee who had third-party access to Airbus’ systems. The Airbus credentials were stolen after a Turkish airline employee infected their computer with the RedLine info-stealing trojan.

In December 2022, USDoD offered for sale the database of the FBI’s sharing system, “InfraGard,” on the Breached forum.

Save the Children hit with BianLian ransomware

Global non-government organization Save The Children International has confirmed it was hit with a ransomware attack after the BianLian ransomware group listed the charity organization, which is dedicated to promoting the well-being of children worldwide, on its data leak website.

The group claimed to have stolen 6.8 terabytes of data from the nonprofit, including email correspondence, medical and health data, financial data personal data, and Human Resource information.

Novel 3AM ransomware used as a backup if Lockbit gets blocked

Symantec's Threat Hunter Team discovered a new Rust-written ransomware strain dubbed “3AM” that attempts to stop multiple services on the infected computer before it begins encrypting files. The researchers said they observed 3AM in a single attack by a ransomware affiliate that attempted to deploy the LockBit ransomware on a target’s network and then switched to 3AM when LockBit was blocked. It is unclear whether 3AM’s developers have any links to known cybercrime organizations.

Europol: Ransomware remains the most prominent cyber threat

Europol released a report highlighting the developments in cyberattacks and the types of criminal structures that are behind cyber intrusions, and how cybercriminal groups are exploiting changes in geopolitics as part of their methodologies. The agency noted that malware-based cyberattacks remain the most prominent form of intrusion into companies across the world.

Ongoing Webex malvertising campaign drops the BatLoader malware

Malwarebytes researchers have warned of a new malvertising campaign that uses Google Ads tracking templates to create convincing Webex software search ads that redirect users to websites that distribute the BatLoader malware.

New phishing campaign is hitting hotels and travel agencies

Perception Point researchers discovered a new malicious campaign targeting the hospitality industry that uses social engineering techniques to drop info-stealing malware.

Turkey sees rise in cybercriminal activity due to influx of Russian hackers

Turkey is experiencing a surge in cybercriminal activity after thousands of Russian men, many of whom are trained software engineers, fled their country to avoid military conscription for the war in Ukraine.

Some of the newly arrived Russian hackers perpetrate low-level scams and fraud to support themselves, joining forces with established Turkish counterparts to avoid detection, launder their earnings and sell credentials stolen from computers worldwide into the European market.

Hacked documents reveal Russia is recruiting Cuban mercenaries to fight in Ukraine

Ukrainian hacktivist group known as the “Cyber Resistance” has obtained evidence that Russia is recruiting Cuban citizens to fight in Ukraine. The group has hacked the personal email account of a Russian officer in the Western Military District, Anton Valentinovich Perevozchikov, who was involved in the recruitment of foreign military personnel.

The cache of hacked documents contains nearly 200 passport scans and images of Cuban nationals. All of them are citizens of Cuba except one individual, who is a citizen of Colombia. The data dump also contains a series of Spanish-language enlistment contracts with a section of the Russian Armed Forces headquartered in the city of Tula.

A new Steal-It data theft campaign exfiltrates NTLMv2 hashes is using a customized PowerShell script

Security researchers at Zscaler ThreatLabz uncovered a new information-stealing campaign they dubbed “Steal-IT” that exfiltrates NTLMv2 hashes from compromised Windows systems using a customized PowerShell script. The campaign primarily targets Australia, Poland, and Belgium and is believed to be orchestrated by the Russian military hacker group known as APT28, Strontium or Fancy Bear.

Storm-0324 caught abusing Microsoft Teams for phishing

A threat actor known as Storm-0324, DEV-0324, Sagrid, or TA543 has been observed abusing the Microsoft Teams messaging app to conduct phishing operations. The group’s most recent campaign, which has been ongoing since July this year, uses an open-source tool called TeamsPhisher to send messages with malicious attachments to organizations that allow Teams external communications.

RedFly APT lurked in the network of a national electricity grid org for 6 months

A threat actor known as RedFly compromised the network of an unnamed national electricity grid organization in Asia and had been quietly present in the victim network for six months. The espionage group used the ShadowPad remote access trojan to compromise the target organization and steal credentials. The threat actor leveraged a number of tools in the attack, including a keylogger that captured strokes in the log files in the hacked system, an espionage tool called Packerloader used to execute code that modified a driver file's permissions, as well as for creating credential dumps in the Windows registry and wiping Windows security event logs.

Iranian hackers target orgs in Brazil, Israel, and OAE with new Sponsor backdoor

An Iran-linked government-backed threat actor known as 'Charming Kitten' (Phosphorus, Ballistic Bobcat, TA453, APT35/42) has been observed deploying novel malware against 34 companies in Brazil, Israel and the United Arab Emirates. As part of the operation, the attackers deployed a novel backdoor called ‘Sponsor’ onto target systems after obtaining initial access via known vulnerabilities (CVE-2021-26855) in the internet-exposed Microsoft Exchange servers.

Iranian cyber spies hack orgs in a new password-spraying campaign

Microsoft said it detected a new cyberespionage campaign it attributed to an Iran-linked threat actor known as Peach Sandstorm (Holmium, APT33, Refined Kitten) that has targeted thousands of organizations in the defense, satellite, and pharmaceutical sectors worldwide in password-spray attacks since February 2023.

Microsoft observed the group using a combination of publicly available and custom tools for discovery, persistence, and lateral movement. The threat actor was also seen exploiting known vulnerabilities in Atlassian Confluence (CVE-2022-26134) or Zoho ManageEngine (CVE-2022-47966) to gain initial access.

In some cases, Peach Sandstorm was observed exfiltrating data from the compromised environment, Microsoft said.

Back to the list

Latest Posts

Cyber Security Week in Review: May 24, 2024

Cyber Security Week in Review: May 24, 2024

In brief: Google fixes Chrome zero-day, a backdoor found in JAVS software, and more.
24 May 2024
Chinese APTs increasingly using ORB networks to mask attack infrastructure

Chinese APTs increasingly using ORB networks to mask attack infrastructure

Mandiant reports that it is actively monitoring several ORB networks, with the most notable being SPACEHOP and FLORAHOX.
23 May 2024
Threat actors exploit vulnerable drivers to disable EDRs in cryptojacking attack

Threat actors exploit vulnerable drivers to disable EDRs in cryptojacking attack

Ghostengine deploys several modules to tamper with security tools, establish a backdoor, and ensure software updates are in place.
22 May 2024