20 October 2023

Cyber Security Week in Review: October 20, 2023


Cyber Security Week in Review: October 20, 2023

Ragnar Locker, Trigona ransomware go down

An international police operation involving Europol and law enforcement authorities from the US, Germany, France, Italy, Japan, Spain, Netherlands, Czech Republic, and Latvia took down the Ragnar Locker ransomware gang's Tor negotiation and data leak sites, which are now displaying a seizure message. Europol has confirmed the takedown but declined to comment further, citing an ongoing action targeting the Ragnar Locker ransomware operation.

Additionally, a group of pro-Ukraine hacktivists known as Ukrainian Cyber Alliance commandeered a data leak site of the Trigona ransomware, exfiltrated data and wiped the servers. The group said they used a privilege escalation vulnerability (CVE-2023-22515) in Atlassian Confluence software said to have been exploited by at least one threat actor (Storm-0062) since September 2023.

The activists said they exfiltrated the information from Trigona’s administration and victim panels, their blog and data leak site, as well as the developer environment, cryptocurrency hot wallets, the source code and database records.

Currently, it’s unclear if the exfiltrated data contains any decryption keys.

E-Root cybercrime marketplace admin extradited to the US

A Moldovan national, Sandu Diaconu, was extradited from the UK to the United States where he was charged with multiple offenses related to his administration of the E-Root marketplace that sold access to hacked computers worldwide. If convicted, he could face up to 20 years in prison.

E-Root, dismantled in 2020, operated across a widely distributed network and allowed customers to search for compromised credentials, such as RDP and SSH access, by desired criteria such as price, geographic location, internet service provider, and operating system. It also used the Perfect Money payment system to help hide buyers’ payments and offered its illicit cryptocurrency exchange service for converting Bitcoin to Perfect Money and vice-versa. The authorities estimate that more than 350,000 compromised credentials were listed for sale on E-Root.

Indian authorities bust tech support scammers

India’s Central Bureau of Investigation (CBI) raided call centers in 76 locations across the country involved in tech support and cryptocurrency scams. The illegal call centers raided by CBI were set up to impersonate Microsoft and Amazon customer support. They targeted over 2,000 customers across Amazon and Microsoft primarily based in the US, but also in Canada, Germany, Australia, Spain, and the UK.

As part of the operation, dubbed ‘Operation Chakra-II’, 32 mobile phones, 48 laptops / hard disks, images of two servers, 33 SIM cards, and pen drives were confiscated and numerous bank accounts were frozen. CBI also seized a dump of 15 email accounts.

Recently patched Citrix NetScaler bug has been under exploitation since August 2023

A Citrix NetScaler RCE vulnerability addressed earlier this month has been exploited as zero-day since August 2023, security researchers said.

Tracked as CVE-2023-4966, the bug is a buffer overflow issue that allows a remote attacker to execute arbitrary code on the target system by sending specially crafted data. It’s worth noting that successful exploitation of the vulnerability requires that the appliance is configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or as AAAvirtualserver.

According to Mandiant Consulting CTO Charles Carmakal, simply applying the patch is not enough, organizations should also terminate all active sessions.

Signal denies rumors of a zero-day bug

Signal has denied reports of a zero-day vulnerability in its encrypted messaging app that have been circulating online over the weekend. The company said it conducted a thorough investigation and found no evidence that the rumored zero-day vulnerability is real.

The number of compromised Cisco IOS XE devices reaches almost 42,000

The Censys search platform said it found 41,983 Cisco IOS XE devices compromised via a new zero-day vulnerability affecting IOS XE software.

Previously, LeakIX reported about 30,000 infected Cisco devices, including routers, switches and VPN solutions, with the majority of them located in the US, followed by the Philippines, Chile and Mexico.

The flaw, tracked as CVE-2023-20198 resides in the web UI feature and can be exploited by a remote non-authenticated attacker via a specially crafted HTTP request sent to the affected device. The attacker then can create an account with privilege level 15 access. The vulnerability affects all IOS XE versions.

Russian and Chinese nation-state actors target recently patched WinRAR zero-day

Several nation-state actors associated with Russia and China (Sandworm, APT28 and APT40) have been abusing a high-severity flaw in the WinRar file archiver utility as part of their operations, Google’s Threat Analysis Group (TAG) said.

Tracked as CVE-2023-38831, the flaw could be exploited by a remote attacker using a specially crafted archive with executable malicious files designed to spoof a file extension to look like .jpeg or .txt.

Additionally, Microsoft reported that two North Korean threat actors it tracks as Diamond Sleet (aka Zinc) and Onyx Sleet (Plutonium) have been observed exploiting a remote code execution vulnerability (CVE-2023-42793) affecting the JetBrains TeamCity build management and continuous integration server.

The Diamond Sleet attacks exploited the flaw to deploy the Forest Tiger backdoor to establish persistent access to the target system, while Onyx Sleet created a new user account on the compromised system with administrator-level access.

US seizes 17 domains used by North Korean IT workers to defraud businesses worldwide

The US authorities announced the takedown of 17 website domains used by North Korean overseas IT workers in a scheme to allegedly defraud businesses in the US and across the globe, evade sanctions and fund the development of North Korea's weapons program. According to the US Department of Justice, North Korean IT workers collected nearly $1.5 million of revenue through the fraud schemes. The DoJ said the criminal proceeds have been seized in October 2022 and January 2023.

Iranian OilRig APT targets governments in the Middle East in 8-months-long espionage campaign

Symantec’s threat hunter team released a report detailing a new cyber espionage campaign by an Iran-linked threat actor known as OilRig, APT34 or Crumbus, that lasted 8 months. During the campaign, which targeted a government in the Middle East, the attackers stole files and passwords and, in one case, installed a PowerShell backdoor (dubbed PowerExchange) that was used to monitor incoming mails sent from an Exchange Server to execute attackers’ commands and surreptitiously forwarded results to the intruders.

Telecom providers in Ukraine targeted with destructive attacks

At least 11 telecommunications services providers in Ukraine have been hit with destructive attacks between May 11, 2023, and September 27, 2023, CERT-UA said. The agency has attributed these campaigns to Sandworm (UAC-0165), a threat actor believed to be one of Russia's military cyber units. The attackers planted a backdoor in the form of a PAM module, tracked as POEMGATE, on compromised machines. In some cases, the hackers installed a variant of the Poseidon remote access tool (RAT), or the Weevely backdoor (if the target company provides hosting services).

CISA shares bugs, misconfigs and weaknesses linked to ransomware campaigns

The US Cybersecurity and Infrastructure Security Agency (CISA) announced an update to its known exploited vulnerabilities (KEV) catalog, which will now list information about which vulnerabilities are commonly associated with ransomware campaigns. The agency has also developed a second new RVWP resource that serves as a companion list of misconfigurations and weaknesses known to be used in ransomware campaigns.

Separately, CISA, NSA, the FBI, and MS-ISAC issued an advisory on commonly used phishing techniques. The advisory also offers recommendations on how to mitigate phishing attacks.

Additionally, NSA published a repository named Elitewolf  which contains various ICS/SCADA/OT-focused signatures and analytics to help defenders identify and detect potentially malicious cyber activity in their OT environments.

ESET releases report on cybercrime in Latin America

ESET has released an analytical report highlighting the threat landscape in Latin America (LATAM). The report examines various documented campaigns targeting exclusively the LATAM region between 2019 and 2023.

Hackers can now hide malicious code in Web3 smart contracts

Hackers devised a novel way to embed malicious code in Binance smart contracts to steal partial payments from blockchain contracts. Dubbed “EtherHiding,” the attack involves compromising WordPress websites by implanting code that retrieves partial payloads from blockchain contracts, subsequently deploying these payloads within BSC smart contracts. These smart contracts effectively function as clandestine, anonymous hosting platforms for malicious code.

AI algorithm intercepts MitM attacks on military robots

Researchers from Charles Sturt University (Australia) and the University of South Australia (UniSA) developed a novel algorithm that allows to block a Man-in-the-Middle (MitM) attack on an unmanned military robot in a matter of seconds. The new algorithm has been tested on a replica of a US Army combat ground vehicle and shown to be 99% successful at preventing a malicious attack, with false positive rates of less than 2%.

Casio reveals a data breach

Japanese electronics giant Casio said that hackers broke into its ClassPad server and stole a database with personal information belonging to customers in 149 countries.

The company said that the attackers were able to gain access to the database because “some of the network security settings in the development environment were disabled due to an operational error of the system by the department in charge and insufficient operational management.”

The compromised information includes customer names, email addresses, country/region of residence, purchasing information (order details, payment method, license code, etc.), and service usage information (log data, nicknames, etc.).

Back to the list

Latest Posts

Cisco says decade-old bug in ASA appliances exploited in the wild

Cisco says decade-old bug in ASA appliances exploited in the wild

The activity involving CVE-2014-2120 has been linked to the Mozi botnet.
3 December 2024
North Korea's Kimsuky group employs Russian sender addresses in phishing campaigns

North Korea's Kimsuky group employs Russian sender addresses in phishing campaigns

The objective of the attacks is credential theft, enabling Kimsuky to hijack victim accountsю
3 December 2024
Japanese crypto exchange DMM Bitcoin to shut down following $305M hack

Japanese crypto exchange DMM Bitcoin to shut down following $305M hack

It is believed that the North Korean state-backed threat actor Lazarus Group was behind the hack.
3 December 2024