13 October 2023

Cyber Security Week in Review: October 13, 2023

Cyber Security Week in Review: October 13, 2023

Microsoft’s October 2023 Patch Tuesday fixes over 100 flaws, 2 zero-days

Microsoft released its October 2023 Patch Tuesday security updates that address more than a hundred security vulnerabilities in its software, including two zero-day flaws said to have been actively exploited in the wild. One of the zero-days is CVE-2023-36563, a Microsoft WordPad information disclosure issue that can be used to steal NTLM hashes when opening a document in WordPad. The second zero-day, tracked as CVE-2023-41763, affects Skype for Business Server and can result in the leakage of sensitive information.

October 2023 Patch Tuesday also addresses an actively exploited vulnerability (CVE-2023-44487) known as the HTTP/2 Rapid Reset attack, used by an unknown threat actor to carry out high-volume distributed denial-of-service (DDoS) attacks, the largest of which peaked at 398 million RPS.

Apple rolls out security updates to fix a new zero-day bug on older iOS devices

Apple issued iOS 16.7.1 and iPadOS 16.7.1 to address the CVE-2023-42824 vulnerability that has been actively exploited in attacks. The flaw is a kernel flaw that could allow a local application to execute arbitrary code on the system with elevated privileges.

Nation-state hackers are exploiting Atlassian Confluence zero-day bug

Nation-state threat actors are actively exploiting a recently patched zero-day flaw (CVE-2023-22515) affecting Atlassian Confluence Data Center and Server instances. Microsoft said that a threat actor it tracks as Storm-0062 (aka DarkShadow and Oro0lxy) has been exploiting this bug since September 14, 2023. Previously, the tech giant linked the Storm-0062 group to the Chinese government.

Citrix addresses high-risk Citrix NetScaler ADC and NetScaler Gateway bugs

Citrix released security updates to fix multiple vulnerabilities in its NetScaler ADC and NetScaler Gateway products, including a flaw that can lead to remote code execution.

Tracked as CVE-2023-4966, the bug is a buffer overflow issue that allows a remote attacker to execute arbitrary code on the target system by sending specially crafted data. It’s worth noting that successful exploitation of the vulnerability requires that the appliance is configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or as AAAvirtualserver.

Security researchers have recently warned that hackers are targeting Citrix servers by exploiting a recently patched vulnerability (CVE-2023-3519) in Citrix NetScaler ADC and Gateway product. The attackers used the flaw to insert a malicious script appended to the legitimate “index.html” file into the HTML content of the authentication web page to capture user credentials.

Hello Kitty ransomware source code leaked on a cybercrime forum

The source code of the Hello Kitty ransomware, best known for breaching and stealing data from video game developer CD Projekt Red, has been leaked on a Russian-language cybercrime forum. The leaked zip archive includes a Microsoft Visual Studio project that can be used to create the Hello Kitty encryptor and decryptor. The released source code is said to be the legitimate 2020 Hello Kitty version used when the ransomware operation was first launched.

FBI and CISA share technical details on the AvosLocker ransomware

The US Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) released a security advisory detailing known Indicators of Compromise (IoCs), Tactics, Techniques and Procedures (TTPs), and detection methods associated with the AvosLocker ransomware.

Ransomware actors are exploiting a recently patched WS_FTP flaw

Sophos researchers have warned that ransomware actors are targeting WS_FTP servers unpatched against CVE-2023-40044, a remote code execution issue affecting WS_FTP Server’s Ad Hoc Transfer module.

In the observed exploitation attempt, the attackers known as the Reichsadler Cybercrime Group used the open-source GodPotato tool to escalate privileges and deploy ransomware.

IZ1H9 Mirai-based botnet adds 13 exploits to its arsenal

Fortinet’s FortiGuard Labs team discovered a new Mirai-based DDoS botnet, tracked as IZ1H9, that added thirteen new payloads to target routers from multiple vendors, including D-Link devices, Netis wireless router, Sunhillo SureLine, Geutebruck IP camera, Yealink Device Management, Zyxel devices, TP-Link Archer, Korenix Jetwave, and TOTOLINK routers.

A peak of exploitation was observed on September 6, reaching tens of thousands of exploitation attempts against affected devices.

Malicious NuGet packages deliver SeroXen RAT

DevSecOps company Phylum discovered malicious NuGet packages infecting developer systems with the SeroXen RAT. The malicious package called “Pathoschild.Stardew.Mod.Build.Config” was published by a user who goes online as Disti and is a typosquat of a legitimate package called Pathoschild.Stardew.ModBuildConfig. Upon closer inspection, the researchers found six packages in Disti’s repository masqueraded as popular cryptocurrency projects, exchanges, and platforms, and all six were designed to deploy SeroXen.

Magecart web skimmers hide in 404 error pages

Akamai researchers discovered a new Magecart web skimming campaign that conceals malicious code in 404 error pages. The campaign is targeting an extensive list of Magento and WooCommerce websites, including those belonging to large organizations in the food and retail industries.

While typical Magecart attacks abuse vulnerabilities in the targeted websites or infect the third-party services used by sites, the new campaign injects malicious code in the sites’ first-party resources such as the HTML pages or the first-party scripts loaded as part of the website.

Chinese cyber crooks backdoor low-cost Android devices for ad fraud

A vast ad fraud botnet has been uncovered that involved thousands of cheap Android-based mobile phones, tablets, and TV boxes infected with the Triada backdoor. The goal of the operation dubbed “Peachpit” was to install malicious apps on the infected devices that would display unwanted ads. The botnet was operated by a China-linked cybercrime syndicate known as “Badbox.”

The researchers observed at least 74,000 mobile phones, tablets, and TV boxes running Android infected with the backdoor. The malware is being installed during the supply chain process and then infected devices are sold on popular online retailers and resale sites.

Cyberattack on Air Europa exposes customers’ bank details

Spanish airline Air Europa, the country's third-largest airline, warned customers to cancel their credit cards following a cyberattack on the company’s online payment system. The credit card details exposed in the breach include card numbers, expiration dates, and the 3-digit CVV (Card Verification Value) code on the back of the payment cards. No other data has been exposed, the airline said.

Threat actors target Ukrainian government agencies in a new wave of SmokeLoader attacks

CERT-UA published Indicators of Compromise related to a new malicious campaign by a financially motivated threat actor tracked as UAC-0006 targeting government entities in Ukraine. The team said that between 2-6 October 2023 the attackers launched at least four waves of attacks.

The US, Ukraine, and Israel remain top targets of nation-state hackers

The United States, Ukraine, Israel and Taiwan top the list of the countries most targeted by nation-state hacker groups, according to Microsoft’s latest Digital Defense Report. However, state-sponsored hacker operations grew increasingly global in scope over the last year, particularly expanding in the Global South to more parts of Latin America and sub-Saharan Africa.

The report also notes that Russian and Iranian state-sponsored actors that employed destructive attacks most frequently shifted their focus to cyber espionage campaigns.

‘Stayin’ Alive’ cyber espionage campaign targets telecoms, governments in Asia

Security experts with Check Point Research shared details on an ongoing cyber espionage campaign they track as ‘Stayin’ Alive’ that mainly targets the telecommunications industry and government organizations across Asia. The operation, which has been ongoing since 2021, consists of mostly downloaders and loaders, some of which were used as an initial infection vector.

Although the tools used in this campaign share no clear code overlaps with products created by any known threat actors and do not have much in common with each other, they are all linked to the same set of infrastructure, tied to ToddyCat, a Chinese-affiliated threat actor operating in Asia.

New Grayling APT targets IT and biomedical sectors in Taiwan

A previously undocumented threat actor has been observed targeting the manufacturing, IT, and biomedical sectors in Taiwan as part of a cyber espionage campaign that began in February 2023 and continued until at least May 2023.

Dubbed ‘Grayling’, the threat actor used in attacks custom malware as well as publicly available tools such as the Havoc command-and-control framework, Cobalt Strike, the NetSpy spyware, the credential-dumping tool Mimicatz and other tools. The observed campaign appears to have also hit organizations in the Pacific Islands, Vietnam and the US.

One of the most interesting aspects of the campaign is the use of a distinctive DLL sideloading technique that leverages a custom decryptor to deploy payloads.

Back to the list

Latest Posts

FIN7 cybercrime gang offers new EDR bypass tool on dark web

FIN7 cybercrime gang offers new EDR bypass tool on dark web

AvNeutralizer is being advertised for prices ranging between $4,000 and $15,000 on various cybercrime forums.
17 July 2024
Critical Apache HugeGraph vulnerability exploited in the wild

Critical Apache HugeGraph vulnerability exploited in the wild

Users are strongly recommended to upgrade to the fixed version as soon as possible.
17 July 2024
TAG-100 cyberspies target Citrix, F5, Cisco appliances in at least 10 countries

TAG-100 cyberspies target Citrix, F5, Cisco appliances in at least 10 countries

The threat actor has employed the Go-based backdoors Pantegana and SparkRAT for post-exploitation.
17 July 2024