22 September 2023

Cyber Security Week in Review: September 22, 2023


Cyber Security Week in Review: September 22, 2023

Apple fixes 3 zero-days in iOS, iPadOS, macOS, Safari

Apple released security updates to address three actively exploited zero-day flaws impacting iOS, iPadOS, macOS, watchOS, and Safari.

The three zero-days are CVE-2023-41991 (a signature validation process bypass issue in the Security framework), CVE-2023-41992 (a privilege escalation vulnerability in Kernel that could allow a local attacker to elevate privileges), CVE-2023-41993 (a WebKit flaw that could result in arbitrary code execution when processing specially crafted web content).

The tech giant didn’t share additional details regarding the nature of exploitation, apart from saying that the “issue may have been actively exploited against versions of iOS before iOS 16.7.” Researchers at the Citizen Lab at the University of Toronto's Munk School and Google's Threat Analysis Group (TAG) have been credited for the flaws, suggesting that the vulnerabilities have been exploited as part of a government-backed cyberespionage campaign.

Trend Micro patches Apex One zero-day exploited in hacker attacks

Trend Micro released emergency security updates to address a zero-day vulnerability in its Apex One endpoint protection solution actively exploited in the wild. Tracked as CVE-2023-41179, the flaw is a command injection issue within the third-party AV uninstaller module shipped with the software. By exploiting this bug a local user can execute arbitrary commands with elevated privileges.

Over 10,000 Juniper firewalls vulnerable to recently disclosed RCE flaw

Nearly 12,000 Juniper SRX firewalls and EX switches are vulnerable to attacks exploiting a recently disclosed flaw that allows a remote attacker to achieve remote code execution without creating a file on the system.

Tracked as CVE-2023-36845, the bug was fixed in August of this year along with a slew of other vulnerabilities (CVE-2023-36844, CVE-2023-36846, CVE-2023-36847, and CVE-2023-36851). As per researchers at watchTowr, when chained together, these bugs could allow remote code execution. A proof-of-concept (PoC) exploit created by watchTowr combined CVE-2023-36846 and CVE-2023-36845 to upload a PHP file containing malicious shellcode and achieve code execution.

Microsoft accidentally leaked 38 TB of confidential data

Microsoft’s AI research team accidentally exposed a large trove of private data on GitHub, including a disk backup of two employees’ workstations. The exposed cache included 38 terabytes of sensitive information such as secrets, private keys, passwords, and more than 30,000 internal Microsoft Teams messages from over 300 Microsoft employees.

The leak was caused by a Microsoft researcher who inadvertently included an SAS token in a blob store URL while contributing to open-source AI learning models and providing the URL in a public GitHub repository. The tech giant said it has revoked the SAS token and has taken measures to further harden the SAS token feature.

Canada’s largest airline discloses a data breach

Air Canada said it suffered a security incident where an unauthorized party briefly breached its internal systems related to the personal information of some employees and certain records. The company said in a short statement, that the incident had not impacted its flight operations and customer-facing systems. No customer information was accessed, the company said.

International Criminal Court reports a cyberattack

The International Criminal Court (ICC) reported it experienced a cyber incident affecting its information systems. The ICC didn’t reveal the nature of the incident or whether any data had been stolen. The court said it “continues to analyze and mitigate the impact of the incident” adding that “priority is being given to ensuring that the core work of the Court continues”.

Police dismantle match-fixing gang that used satellites to hijack live feeds of sports events

A criminal network that used advanced technology to capture live streams of sports events has been dismantled as part of a joint law enforcement operation conducted by Spain’s authorities and Romanian police in coordination with Europol and Interpol.

The gang comprised of Romanian and Bulgarian nationals, who operated from Spain, used satellites to intercept live feeds of competitions before they reached the betting houses. This allowed the criminals to place sure online bets knowing the results of the matches in advance.

Piilopuoti dark web marketplace shut down by police

An international law enforcement operation has resulted in the shutdown of the dark web marketplace called Piilopuoti. The marketplace, which has been in operation since May 2022, specialized in selling drugs and was used as a means to smuggle illicit substances into Finland.

The authorities didn’t provide further information regarding the police operation as the investigation is still ongoing and law enforcement worldwide is working together to identify the sellers and users on the platform.

Malware dev behind NLBrute tool pleads guilty in the US

Dariy Pankov, aka dpxaker, believed to be a developer of the NLBrute malware has pleaded guilty in a US court to conspiracy to commit access device fraud and computer fraud. The US Department of Justice alleges that Pankov developed a brute-forcing tool called NLBrute able to compromise password-protected machines by decrypting login credentials. Pankov faces a maximum penalty of five years in prison. He has also agreed to forfeit $358,437 obtained via criminal activity. A sentencing date will be set at a later date.

DevOps firm Retool hit with SMS-based phishing attack

Software development company Retool disclosed it suffered a security incident involving an SMS-based phishing attack that affected the cloud accounts of some of its customers. The company said the breach took place on August 29, 2023, with the attacker tricking one of its employees into clicking on a phishing link sent in a text message.

The employee has activated Google Authenticator's cloud sync feature which allowed the threat actor to gain elevated access to the company’s internal admin systems and commandeer the accounts belonging to 27 customers in the crypto industry.

As per media reports, one of the victims, financial infrastructure company Fortress Trust, lost $15 million worth of customers’ cryptocurrency due to the Retool incident.

Chinese-language speakers targeted with phishing campaigns distributing Sainbox RAT and ValleyRAT malware

Proofpoint researchers said they observed an increase in the email distribution of malware associated with suspected Chinese cybercrime activity, with malicious campaigns delivering a variant of the commodity trojan Gh0stRAT called Sainbox, and a novel ValleyRAT malware.

Campaigns are generally low-volume and are typically sent to global organizations with operations in China. The email subjects and content are usually written in Chinese and are typically related to business themes like invoices, payments, and new products. The emails contain URLs linking to compressed executables that are responsible for installing the malware.  Proofpoint said it has also observed Sainbox RAT and ValleyRAT delivered via Excel and PDF attachments containing URLs linking to compressed executables.

Black Cat actors encrypt Azure accounts with new Sphynx ransomware

The BlackCat (ALPHV) ransomware group has been observed using compromised Microsoft accounts and the new Sphynx ransomware variant to take over Azure Storage accounts.

First spotted earlier this year, the Sphynx variant embeds the Impacket networking framework and the Remcom hacking tool, both facilitating lateral movement in compromised networks.

Gold Melody IAB exploits flaws in Oracle, Apache, Sitecore software to hack into corporate networks

A cybercrime outfit known as Gold Melody, Prophet Spider or UNC961 exploits known vulnerabilities in the internet-exposed servers to compromise enterprise networks, according to a new report from SecureWorks Counter Threat Unit.

The group, which has been around since at least 2017, acts as an initial access broker (IAB) selling access to the hacked networks to other cybercriminals. In some cases, the initial access was used by third parties to deploy ransomware. Gold Melody relies on web shells, built-in operating system utilities, proprietary remote access trojans (RATs) and tunneling tools to facilitate its activity once inside a compromised environment.

A majority of bot attacks come from Russia and China

A majority of all bot attacks emanate from Russia and China, with 72% of organizations surveyed hit with bot attacks that originated in China, and 66% from Russia, according to a new study from the bot detection service Netacea.

The survey also found that it takes four months on average to detect bot attacks, with 97% of respondents admitting it takes over a month to respond. 40% of businesses report attacks on their APIs, while attacks on mobile apps have overtaken website attacks for the first time.

Sandman APT targets telcos in the Middle East, Western Europe with LuaDream malware

SentinelLabs researchers released a report detailing a previously undocumented threat cluster they dubbed ‘Sandman.’ The threat actor has been observed targeting telecommunications companies in the Middle East, Western Europe, and the South Asian subcontinent with a novel modular backdoor called “LuaDream” that utilizes the LuaJIT platform. The researchers suspect that the malware may be the work of a private contractor or mercenary group.

Separately, Cisco’s Talos threat research group shared details on a threat actor called ShroudedSnooper that targets telecommunications providers in the Middle East with novel malware named ‘HTTPSnoop’ and ‘PipeSnoop.’

Transparent Tribe APT spreads CapraRAT malware via fake YouTube Android apps

A Pakistan-aligned threat actor known as Transparent Tribe has been observed using fake Android apps mimicking YouTube to distribute the CapraRAT backdoor in a new cyber espionage campaign. CapraRAT comes with a variety of features, including the ability to record with the microphone, front and rare cameras, collect messages and call logs, send SMS messages and block incoming SMS, make phone calls, take screen grabs, override system settings, modify files on the device’s filesystem.

FBI and CISA warn of Snatch ransomware attacks

The US Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) published Indicators of Compromise (IoCs) and tactics, techniques, and procedures (TTPs) associated with the Snatch ransomware group known for their attacks on critical infrastructure sectors including the defense industrial base (DIB), food and agriculture, and IT sectors.

Snatch’s tactics involve data exfiltration and double extortion. After stealing data, Snatch threat actors may threaten victims with double extortion, where the victims’ data will be posted on Snatch’s data leak website if the ransom is not paid.

Fake WinRAR exploit drops VenomRAT

A fake proof-of-concept (PoC) exploit for a recently patched WinRAR RCE vulnerability has been uncovered on GitHub designed to infect users with the VenomRAT malware. Said WinRAR vulnerability (CVE-2023-40477) was addressed by the maintainer in June 2023 and publicly disclosed in August. Just a few days later, a threat actor known online as ‘whalersplonk’ uploaded a fake PoC script to their GitHub repository.

According to Palo Alto Networks researchers who spotted and analyzed the exploit, the code was based on a publicly available PoC script that exploited an SQL injection vulnerability (CVE-2023-25157) in the GeoServer app and ultimately led to the installation of the VenomRAT info-stealer.


Back to the list

Latest Posts

Rockstar 2FA phishing-as-a-service targets Microsoft 365 users with AiTM attacks

Rockstar 2FA phishing-as-a-service targets Microsoft 365 users with AiTM attacks

Rockstar 2FA appears to be an updated version of the DadSec (also known as Phoenix) phishing kit.
2 December 2024
Phishing campaign targeting tax professionals in Ukraine with Litemanager malware

Phishing campaign targeting tax professionals in Ukraine with Litemanager malware

CERT-UA attributes the activity to the financially motivated group UAC-0050.
2 December 2024
Hackers steal $17M from Uganda's central bank

Hackers steal $17M from Uganda's central bank

The attackers breached the central bank’s IT systems earlier this month and transferred the funds to various accounts.
2 December 2024