This posting is here to collect cyber security news in April 2023.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in April 2023.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
352 Comments
Tomi Engdahl says:
Android malware infiltrates 60 Google Play apps with 100M installs https://www.bleepingcomputer.com/news/security/android-malware-infiltrates-60-google-play-apps-with-100m-installs/
A new Android malware named ‘Goldoson’ has infiltrated Google Play through 60 legitimate apps that collectively have 100 million downloads. The malicious malware component is part of a third-party library used by all sixty apps that the developers unknowingly added to their apps
Tomi Engdahl says:
Vice Society ransomware uses new PowerShell data theft tool in attacks https://www.bleepingcomputer.com/news/security/vice-society-ransomware-uses-new-powershell-data-theft-tool-in-attacks/
The Vice Society ransomware gang is deploying a new, rather sophisticated PowerShell script to automate data theft from compromised networks. Stealing corporate and customer data is a standard tactic in ransomware attacks for use as further leverage when extorting victims or reselling the data to other cybercriminals for maximum profit. Vice Society’s new data exfiltrator is fully automated and uses “living off the land” binaries and scripts that are unlikely to trigger alarms from security software, keeping their activities stealthy before the final step of the ransomware attack, the encrypting of data
Tomi Engdahl says:
Why is Juice Jacking Suddenly Back in the News?
https://krebsonsecurity.com/2023/04/why-is-juice-jacking-suddenly-back-in-the-news/
The term juice jacking crept into the collective paranoia of gadget geeks in the summer of 2011, thanks to the headline for a story here about researchers at the DEFCON hacker convention in Vegas whod set up a mobile charging station designed to educate the unwary to the reality that many mobile devices connected to a computer would sync their data by default. Since then, Apple, Google and other mobile device makers have changed the way their hardware and software works so that their devices no longer automatically sync data when one plugs them into a computer with a USB charging cable. Instead, users are presented with a prompt asking if they wish to trust a connected computer before any data transfer can take place
Tomi Engdahl says:
Lazarus Hacker Group Evolves Tactics, Tools, and Targets in DeathNote Campaign https://thehackernews.com/2023/04/lazarus-hacker-group-evolves-tactics.html
he North Korean threat actor known as the Lazarus Group has been observed shifting its focus and rapidly evolving its tools and tactics as part of a long-running campaign called DeathNote. While the nation-state adversary is known for persistently singling out the cryptocurrency sector, recent attacks have also targeted automotive, academic, and defense sectors in Eastern Europe and other parts of the world, in what’s perceived as a “significant” pivot
Tomi Engdahl says:
New Mirai Variant Employs Uncommon Tactics to Distribute Malware https://www.darkreading.com/remote-workforce/new-mirai-variant-employs-uncommon-tactics-to-distribute-malware
A new version of a Mirai variant called RapperBot is the latest example of malware using relatively uncommon or previously unknown infection vectors to try and spread widely. RapperBot first surfaced last year as Internet of Things (IoT) malware containing large chunks of Mirai source code but with some substantially different functionality compared with other Mirai variants. The differences included the use of a new protocol for command-and-control (C2) communications and a built-in feature for brute-forcing SSH servers rather than Telnet services, as is common in Mirai variants
Tomi Engdahl says:
Hackers claim vast access to Western Digital systems https://techcrunch.com/2023/04/13/hackers-claim-vast-access-to-western-digital-systems/
The hackers who breached data storage giant Western Digital claim to have stolen around 10 terabytes of data from the company, including reams of customer information. The extortionists are pushing the company to negotiate a ransom of a minimum 8 figures in exchange for not publishing the stolen data
Tomi Engdahl says:
LockBit ransomware encryptors found targeting Mac devices https://www.bleepingcomputer.com/news/security/lockbit-ransomware-encryptors-found-targeting-mac-devices/
The LockBit ransomware gang has created encryptors targeting Macs for the first time, likely becoming the first major ransomware operation to ever specifically target macOS. The new ransomware encryptors were discovered by cybersecurity researcher MalwareHunterTeam who found a ZIP archive on VirusTotal that contained what appears to be all of the available LockBit encryptors. Historically, the LockBit operation uses encryptors designed for attacks on Windows, Linux, and VMware ESXi servers. However, as shown below, this archive also contained previously unknown encryptors for macOS, ARM, FreeBSD, MIPS, and SPARC CPUs
Tomi Engdahl says:
Suuroperaatio: Varastettujen käyttäjätunnusten kauppapaikka suljettiin KRP auttoi Yhdysvaltoja https://www.is.fi/digitoday/art-2000009522527.html
Verkossa toiminut varastettujen käyttäjätunnusten kauppapaikka Genesis Market suljettiin viime viikolla kansainvälisessä operaatiossa, jota johtivat Yhdysvaltojen liittovaltion poliisi FBI ja Hollannin poliisi
Tomi Engdahl says:
Cybercrims hop geofences, clamor for stolen ChatGPT Plus accounts https://www.theregister.com/2023/04/15/cybercrims_hop_chatgpt_geofences/
The market for stolen ChatGPT accounts, and especially Plus subscriptions, is on the rise as miscreants in countries blocked by OpenAI try to hop the chatbot’s geofences. This uptick began in March, according to Check Point bods who say they’ve noticed an “increase in the chatter in underground forums related to leaking or selling compromised ChatGPT premium accounts.”
Tomi Engdahl says:
CISA warns of Android bug exploited by Chinese app to spy on users https://www.bleepingcomputer.com/news/security/cisa-warns-of-android-bug-exploited-by-chinese-app-to-spy-on-users/
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned today of a high-severity Android vulnerability believed to have been exploited by a Chinese e-commerce app Pinduoduo as a zero-day to spy on its users. This Android Framework security flaw (tracked as
CVE-2023-20963) allows attackers to escalate privileges on unpatched Android devices without requiring user interaction. “Android Framework contains an unspecified vulnerability that allows for privilege escalation after updating an app to a higher Target SDK with no additional execution privileges needed,” CISA explains
Tomi Engdahl says:
Google Warns of New Chrome Zero-Day Attack
https://www.securityweek.com/google-warns-of-new-chrome-zero-day-attack/
The high-severity vulnerability, tracked as CVE-2023-2033, is described as a type confusion in the Chrome V8 JavaScript engine.
Another day, another zero-day attack hitting widely deployed software from a big tech provider.
Google on Friday joined the list of vendors dealing with zero-day attacks, rolling out a major Chrome Desktop update to fix a security defect that’s already been exploited in the wild.
The high-severity vulnerability, tracked as CVE-2023-2033, is described as a type confusion in the Chrome V8 JavaScript engine.
“Google is aware that an exploit for CVE-2023-2033 exists in the wild,” the company said in a barebones advisory that credits Clément Lecigne of Google’s Threat Analysis Group for reporting the issue.
The company did not provide any additional details of the bug, the in-the-wild exploitation, indicators of compromise (IOCs) or any guidance on the profile of targeted machines.
Google said access to bug details and links may be kept restricted until a majority of users are updated with a fix.
The patch is being pushed to Chrome 112.0.5615.121 for Windows Mac and Linux and will roll out via the software’s automatic patching mechanism over the coming days/weeks.
Tomi Engdahl says:
Critical Vulnerability in Hikvision Storage Solutions Exposes Video Security Data
https://www.securityweek.com/critical-vulnerability-in-hikvision-storage-solutions-exposes-video-security-data/
Hikvision patches CVE-2023-28808, a critical authentication bypass vulnerability that exposes video data stored on its Hybrid SAN and cluster storage products.
Tomi Engdahl says:
Darktrace Denies Getting Hacked After Ransomware Group Names Company on Leak Site
https://www.securityweek.com/darktrace-denies-getting-hacked-after-ransomware-group-names-firm-on-leak-site/
Cybersecurity firm Darktrace has issued a statement after it was listed on the leak website of the LockBit ransomware group.
Cybersecurity company Darktrace issued a statement on Thursday after it was named on the leak website of the LockBit ransomware group.
“Earlier this morning we became aware of tweets from LockBit, the cyber-criminal gang, claiming that they had compromised Darktrace’s internal security systems and had accessed our data. Our security teams have run a full review of our internal systems and can see no evidence of compromise,” Darktrace said.
“None of the LockBit social media posts link to any compromised Darktrace data. We will continue to monitor the situation extremely closely, but based on our current investigations we are confident that our systems remain secure and all customer data is fully protected,” it added.
Updated statement regarding LockBit claims
https://darktrace.com/statement-darktrace
Tomi Engdahl says:
Vulnerabilities
Juniper Networks Patches Critical Third-Party Component Vulnerabilities
https://www.securityweek.com/juniper-networks-patches-critical-third-party-component-vulnerabilities/
Juniper Networks this week announced patches for tens of vulnerabilities across its product portfolio, including critical bugs in Junos OS and STRM.
Tomi Engdahl says:
Google, CISA Warn of Android Flaw After Reports of Chinese App Zero-Day Exploitation
https://www.securityweek.com/google-cisa-warn-of-android-flaw-after-reports-of-chinese-app-zero-day-exploitation/
The Android vulnerability CVE-2023-20963, reportedly exploited as a zero-day by a Chinese app against millions of devices, was added to CISA’s KEV catalog.
An Android vulnerability that was reportedly exploited as a zero-day by a Chinese application against millions of devices has been added to the known exploited vulnerabilities catalog maintained by the US Cybersecurity and Infrastructure Security Agency (CISA) after Google confirmed exploitation.
Google said on March 21 that it had suspended the popular Chinese shopping application Pinduoduo on its app store after malware was discovered in versions of the app distributed through other websites. The Chinese company at the time denied the allegations.
Tomi Engdahl says:
Microsoft Warns Accounting, Tax Return Preparation Firms of Remcos RAT Attacks
https://www.securityweek.com/microsoft-warns-accounting-tax-return-preparation-firms-of-remcos-rat-attacks/
A new Remcos RAT campaign is targeting US accounting and tax return preparation firms as Tax Day approaches.
Tomi Engdahl says:
Online Gaming Chats Have Long Been Spy Risk for US Military
https://www.securityweek.com/online-gaming-chats-have-long-been-spy-risk-for-us-military/
Online gaming forums have long been a particular worry of the military because of their lure for young service members.
Step into a U.S. military recreation hall at a base almost anywhere in the world and you’re bound to see it: young troops immersed in the world of online games, using government-funded gaming machines or their own consoles.
The enthusiasm military personnel have for gaming — and the risk that carries — is in the spotlight after Jack Teixeira, a 21-year-old Massachusetts Air National Guardsman, was charged with illegally taking and posting highly classified material in a geopolitical chat room on Discord, a social media platform that started as a hangout for gamers.
Tomi Engdahl says:
FBI Arrests 21-Year-Old Guardsman in Leak of Classified Military Documents
https://www.securityweek.com/fbi-arrests-21-year-old-guardsman-in-leak-of-classified-military-documents/
A Massachusetts Air National Guard member was arrested Thursday in connection with the disclosure of highly classified military documents about the Ukraine war and other top national security issues.
Tomi Engdahl says:
Mobile & Wireless
Google, CISA Warn of Android Flaw After Reports of Chinese App Zero-Day Exploitation
https://www.securityweek.com/google-cisa-warn-of-android-flaw-after-reports-of-chinese-app-zero-day-exploitation/
The Android vulnerability CVE-2023-20963, reportedly exploited as a zero-day by a Chinese app against millions of devices, was added to CISA’s KEV catalog.
Tomi Engdahl says:
Google Warns of New Chrome Zero-Day Attack
https://www.securityweek.com/google-warns-of-new-chrome-zero-day-attack/
The high-severity vulnerability, tracked as CVE-2023-2033, is described as a type confusion in the Chrome V8 JavaScript engine.
Tomi Engdahl says:
QBot banker delivered through business correspondence https://securelist.com/qbot-banker-business-correspondence/109535/
In early April, we detected a significant increase in attacks that use banking Trojans of the QBot family (aka QakBot, QuackBot, and Pinkslipbot). The malware would be delivered through e-mail letters written in different languages variations of them were coming in English, German, Italian, and French. The messages were based on real business letters the attackers had gotten access to, which afforded them the opportunity to join the correspondence thread with messages of their own. As a general rule, such letters would be urging the addressee under a plausible pretext to open an enclosed PDF file. As an example, they could be asking to provide all the documentation pertaining to the attached application or to calculate the contract value based on the attached cost estimate.
Tomi Engdahl says:
New Zaraza Bot Credential-Stealer Sold on Telegram Targeting 38 Web Browsers https://thehackernews.com/2023/04/new-zaraza-bot-credential-stealer-sold.html
A novel credential-stealing malware called Zaraza bot is being offered for sale on Telegram while also using the popular messaging service as a command-and-control (C2). “Zaraza bot targets a large number of web browsers and is being actively distributed on a Russian Telegram hacker channel popular with threat actors,” cybersecurity company Uptycs said in a report published last week. “Once the malware infects a victim’s computer, it retrieves sensitive data and sends it to a Telegram server where the attackers can access it immediately.”
Tomi Engdahl says:
Hackers start abusing Action1 RMM in ransomware attacks https://www.bleepingcomputer.com/news/security/hackers-start-abusing-action1-rmm-in-ransomware-attacks/
Security researchers are warning that cybercriminals are increasingly using the Action1 remote access software for persistence on compromised networks and to execute commands, scripts, and binaries.
Action1 is a remote monitoring and management (RMM) product that is commonly used by managed service providers (MSPs) and the enterprise to remotely manage endpoints on a network. The software allows admins to automate patch management and the deploying of security updates, install software remotely, catalog hosts, troubleshoot problems on endpoints, and get real-time reports. While these types of tools are extremely helpful for admins, they are also valuable to threat actors who can use them to deploy malware or gain persistence to networks.
Tomi Engdahl says:
Google Uncovers APT41′s Use of Open Source GC2 Tool to Target Media and Job Sites https://thehackernews.com/2023/04/google-uncovers-apt41s-use-of-open.html
A Chinese nation-state group targeted an unnamed Taiwanese media organization to deliver an open source red teaming tool known as Google Command and Control (GC2) amid broader abuse of Google’s infrastructure for malicious ends.
Tomi Engdahl says:
New Chameleon Android malware mimics bank, govt, and crypto apps https://www.bleepingcomputer.com/news/security/new-chameleon-android-malware-mimics-bank-govt-and-crypto-apps/
A new Android trojan called Chameleon has been targeting users in Australia and Poland since the start of the year, mimicking the CoinSpot cryptocurrency exchange, an Australian government agency, and the IKO bank. The mobile malware was discovered by cybersecurity firm Cyble, which reports seeing distribution through compromised websites, Discord attachments, and Bitbucket hosting services. Chameleon includes a wide range of malicious functionality, including stealing user credentials through overlay injections and keylogging, cookies, and SMS texts from the infected device.
Tomi Engdahl says:
https://www.securityweek.com/lockbit-ransomware-group-developing-malware-to-encrypt-files-on-macos/
Tomi Engdahl says:
Google Warns of New Chrome Zero-Day Attack
https://www.securityweek.com/google-warns-of-new-chrome-zero-day-attack/
The high-severity vulnerability, tracked as CVE-2023-2033, is described as a type confusion in the Chrome V8 JavaScript engine.
Tomi Engdahl says:
Payments Giant NCR Hit by Ransomware
https://www.securityweek.com/payments-giant-ncr-hit-by-ransomware/
US payments giant NCR has confirmed being targeted in a ransomware attack for which the BlackCat/Alphv group has taken credit.
Tomi Engdahl says:
Used Routers Often Come Loaded With Corporate Secrets
https://www.wired.com/story/used-enterprise-router-company-secrets/
More than half of the enterprise routers researchers bought secondhand hadn’t been wiped, exposing sensitive info like login credentials and customer data.
YOU KNOW THAT you’re supposed to wipe your smartphone or laptop before you resell it or give it to your cousin. After all, there’s a lot of valuable personal data on there that should stay in your control. Businesses and other institutions need to take the same approach, deleting their information from PCs, servers, and network equipment so it doesn’t fall into the wrong hands. At the RSA security conference in San Francisco next week, though, researchers from the security firm ESET will present findings showing that more than half of secondhand enterprise routers they bought for testing had been left completely intact by their previous owners. And the devices were brimming with network information, credentials, and confidential data about the institutions they had belonged to.
The researchers bought 18 used routers in different models made by three mainstream vendors: Cisco, Fortinet, and Juniper Networks. Of those, nine were just as their owners had left them and fully accessible, while only five had been properly wiped. Two were encrypted, one was dead, and one was a mirror copy of another device.
All nine of the unprotected devices contained credentials for the organization’s VPN, credentials for another secure network communication service, or hashed root administrator passwords. And all of them included enough identifying data to determine who the previous owner or operator of the router had been.
Tomi Engdahl says:
Fake Chrome updates spread malware
https://www.malwarebytes.com/blog/news/2023/04/fake-chrome-updates-spread-malware
Compromised websites are causing big headaches for Chrome users. A campaign running since November 2022 is using hacked sites to push fake web browser updates to potential victims. Researcher Rintaro Koike says this campaign has now expanded to also target those who speak Korean, Spanish, and Japanese. Additionally, Bleeping Computer notes that some of the affected sites include news, stores, and adult portals. The attackers are likely to be primarily targeting sites based on vulnerability rather than content served. As a result, its difficult to predict where these bogus updates will appear next
Tomi Engdahl says:
NSO hacked iPhones without user clicks in 3 new ways, researchers say https://www.washingtonpost.com/technology/2023/04/18/nso-apple-iphones-citizen-lab/
Israeli spyware maker NSO Group deployed at least three new zero-click hacks against iPhones last year, finding ways to penetrate some of Apples latest software, researchers at Citizen Lab have discovered.
The attacks struck phones with iOS 15 and early versions of iOS 16 operating software, Citizen Lab said in a report Tuesday. The lab, based at the University of Toronto, shared its results with Apple, which has now fixed the flaws that NSO had been exploiting
Tomi Engdahl says:
YouTube Videos Distributing Aurora Stealer Malware via Highly Evasive Loader https://thehackernews.com/2023/04/youtube-videos-distributing-aurora.html
Cybersecurity researchers have detailed the inner workings of a highly evasive loader named “in2al5d p3in4er” (read: invalid printer) that’s used to deliver the Aurora information stealer malware. “The in2al5d p3in4er loader is compiled with Embarcadero RAD Studio and targets endpoint workstations using advanced anti-VM (virtual machine) technique,” cybersecurity firm Morphisec said in a report shared with The Hacker News. Aurora is a Go-based information stealer that emerged on the threat landscape in late 2022. Offered as a commodity malware to other actors, it’s distributed through YouTube videos and SEO-poised fake cracked software download websites
Tomi Engdahl says:
Vastaamon ex-toimitusjohtaja Ville Tapiolle tuomio tietosuojarikoksesta
https://yle.fi/a/74-20027598
Helsingin käräjäoikeus on tuominnut Vastaamon entisen toimitusjohtajan Ville Tapion kolmen kuukauden ehdolliseen vankeusrangaistukseen tietosuojarikoksesta. Oikeuden mukaan Tapio syyllistyi tietosuojarikokseen, kun hän ei toteuttanut Vastaamossa yleisen tietosuoja-asetuksen vaatimusta käsiteltävien henkilötietojen pseudonymisoinnista ja salauksesta. Muilta osin syyte hylättiin
Tomi Engdahl says:
NSO Group Used at Least 3 iOS Zero-Click Exploits in 2022: Citizen Lab
https://www.securityweek.com/nso-group-used-at-least-3-ios-zero-click-exploits-in-2022-citizen-lab/
NSO Group used at least three iOS zero-click exploits in Pegasus attacks in 2022: FindMyPwn, PwnYourHome, and LatentImage.
Tomi Engdahl says:
New ‘Domino’ Malware Linked to FIN7 Group, Ex-Conti Members
https://www.securityweek.com/new-domino-malware-linked-to-fin7-group-ex-conti-members/
New Domino backdoor brings together former members of the Conti group and the FIN7 threat actors.
Tomi Engdahl says:
Takedown of GitHub Repositories Disrupts RedLine Malware Operations
https://www.securityweek.com/takedown-of-github-repositories-disrupts-redline-malware-operations/
Four GitHub repositories used by RedLine stealer control panels were suspended, disrupting the malware’s operations.
Tomi Engdahl says:
Härski yllätys vesitti Ylen roskienkeräämiskampanjan
Ylen sivuilla olevaa laskuria väärinkäytettiin niin, että Suomen kartalle muodostui hakaristi.
https://www.iltalehti.fi/kotimaa/a/03062cd1-1199-4540-bd33-48c396437e7a
Yle järjesti tänä keväänä kampanjan, jossa koko Suomi kerää miljoona pussillista roskia kaksi kuukautta kestävissä siivoustalkoissa. Väärinkäytökset ovat kuitenkin vesittäneet hyväntahtoisen tempauksen, minkä vuoksi roskapussien laskeminen on jouduttu tilapäisesti keskeyttämään.
Ylilauta-keskustelupalstalla Ylen kampanjaa on pyritty vesittämään, sillä jossain vaiheessa kampanjan aikana Suomen kartalle muodostui kunnista hakaristi. Väärinkäyttäjät olivat tarkoituksella merkinneet tietyt paikkakunnat roskalaskuriin, jotta haluttu symboli saataisiin näkymään kartalle.
Tomi Engdahl says:
Used routers often come loaded with corporate secrets https://arstechnica.com/information-technology/2023/04/used-routers-often-come-loaded-with-corporate-secrets/
You know that you’re supposed to wipe your smartphone or laptop before you resell it or give it to your cousin. After all, there’s a lot of valuable personal data on there that should stay in your control.
Businesses and other institutions need to take the same approach, deleting their information from PCs, servers, and network equipment so it doesn’t fall into the wrong hands. At the RSA security conference in San Francisco next week, though, researchers from the security firm ESET will present findings showing that more than half of secondhand enterprise routers they bought for testing had been left completely intact by their previous owners. And the devices were brimming with network information, credentials, and confidential data about the institutions they had belonged to
Tomi Engdahl says:
March 2023 broke ransomware attack records with 459 incidents https://www.bleepingcomputer.com/news/security/march-2023-broke-ransomware-attack-records-with-459-incidents/
March 2023 was the most prolific month recorded by cybersecurity analysts in recent years, measuring 459 attacks, an increase of 91% from the previous month and 62% compared to March 2022. According to NCC Group, which compiled a report based on statistics derived from its observations, the reason last month broke all ransomware attack records was CVE-2023-0669. This is a vulnerability in Fortra’s GoAnywhere MFT secure file transfer tool that the Clop ransomware gang exploited as a zero-day to steal data from 130 companies within ten days
Tomi Engdahl says:
Play ransomware gang uses custom Shadow Volume Copy data-theft tool https://www.bleepingcomputer.com/news/security/play-ransomware-gang-uses-custom-shadow-volume-copy-data-theft-tool/
The Play ransomware group has developed two custom tools in .NET, namely Grixba and VSS Copying Tool, which it uses to improve the effectiveness of its cyberattacks. The two tools enable attackers to enumerate users and computers in compromised networks, gather information about security, backup, and remote administration software, and easily copy files from Volume Shadow Copy Service (VSS) to bypass locked files
Tomi Engdahl says:
Google TAG Warns of Russian Hackers Conducting Phishing Attacks in Ukraine https://thehackernews.com/2023/04/google-tag-warns-of-russian-hackers.html
Elite hackers associated with Russia’s military intelligence service have been linked to large-volume phishing campaigns aimed at hundreds of users in Ukraine to extract intelligence and influence public discourse related to the war. Google’s Threat Analysis Group (TAG), which is monitoring the activities of the actor under the name FROZENLAKE, said the attacks continue the “group’s 2022 focus on targeting webmail users in Eastern Europe.”
Tomi Engdahl says:
Russian Man Who Laundered Money for Ryuk Ransomware Gang Sentenced
https://www.securityweek.com/russian-man-who-laundered-money-for-ryuk-ransomware-gang-sentenced/
Russian national Denis Dubnikov has been sentenced to time served after he pleaded guilty to charges related to laundering money for the Ryuk ransomware group.
Tomi Engdahl says:
Oracle Releases 433 New Security Patches With April 2023 CPU
https://www.securityweek.com/oracle-releases-433-new-security-patches-with-april-2023-cpu/
Oracle’s April 2023 critical patch update (CPU) includes 433 new security patches, including more than 70 that fix critical vulnerabilities.
Oracle on Tuesday announced the release of 433 new patches as part of its quarterly set of security updates, including more than 70 fixes for critical-severity vulnerabilities.
More than 250 of the addressed vulnerabilities can be exploited remotely and without authentication. Some of the resolved bugs impact multiple products.
For the third quarter in a row, Oracle Communications received the largest number of security patches, at 77.
Other Oracle applications that received numerous patches include MySQL (34 patches – 11 remotely exploitable, unauthenticated vulnerabilities)
Oracle also released patches for Java SE
Virtualization (11 – 1)
Customers are advised to apply the available patches as soon as possible. Unpatched Oracle applications are known to have been exploited in malicious attacks.
“Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Critical Patch Update security patches as soon as possible,” the tech giant notes.
Tomi Engdahl says:
Neiman Marcus Says Hackers Breached Customer Accounts
https://www.securityweek.com/neiman-marcus-says-hackers-breached-customer-accounts/
Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.
Tomi Engdahl says:
Mandiant 2023 M-Trends Report Provides Factual Analysis of Emerging Threat Trends
https://www.securityweek.com/mandiant-2023-m-trends-report-provides-factual-analysis-of-emerging-threat-trends/
In a year dominated by kinetic/cyber war in Ukraine, North Korea doubles down on cryptocurrency thefts, China and Iran continue to take advantage, and a new form of personal intimidation of company personnel emerges.
Tomi Engdahl says:
Enterprises Exposed to Hacker Attacks Due to Failure to Wipe Discarded Routers
https://www.securityweek.com/enterprises-exposed-to-hacker-attacks-due-to-failure-to-wipe-discarded-routers/
Discarded enterprise routers are often not wiped and contain secrets that could be highly useful to malicious hackers.
Discarded enterprise routers are often not wiped properly and store secrets that could be highly useful to malicious hackers, according to an analysis conducted by cybersecurity firm ESET.
The company acquired 18 secondhand enterprise routers made by Cisco, Fortinet and Juniper Networks and found that nine devices, including core routers, contained complete configuration data. Only five devices had been properly wiped.
In the case of the nine routers, ESET was able to determine with high confidence — based on the data still present on the devices — who their previous owner was. The list included a multinational tech company and a telecoms firm, both with more than 10,000 employees and over $1 billion in revenue.
Tomi Engdahl says:
US, UK: Russia Exploiting Old Vulnerability to Hack Cisco Routers
https://www.securityweek.com/us-uk-russia-exploiting-old-vulnerability-to-hack-cisco-routers
US and UK government agencies have issued a joint warning for Russian group APT28 targeting Cisco routers by exploiting an old vulnerability.
Government agencies in the United States and United Kingdom have issued a joint cybersecurity advisory to warn organizations about attacks in which a Russian threat group has exploited an old vulnerability to hack Cisco routers.
The threat actor in question is APT28 (aka Fancy Bear, Strontium, Pawn Storm, Sednit Gang and Sofacy), which has officially been linked by the US and UK to a Russian military intelligence unit.
The APT28 attacks detailed this week targeted Cisco routers in the United States, Ukraine and other European countries in 2021. However, the exploited vulnerabilities still pose a significant risk, with Cisco saying that it’s “deeply concerned by an increase in the rate of high-sophistication attacks on network infrastructure”.
Tomi Engdahl says:
Vulnerabilities
Google Patches Second Chrome Zero-Day Vulnerability of 2023
https://www.securityweek.com/google-patches-second-chrome-zero-day-vulnerability-of-2023/
Google warns of another zero-day vulnerability in Chrome, only days after addressing a similar issue.
Google on Tuesday announced patches for another zero-day vulnerability found in the Chrome browser.
Tracked as CVE-2023-2136, the security defect is described as a high-severity integer overflow issue in Skia. The bug was reported by Google Threat Analysis Group researcher Clement Lecigne and, per Google’s policy, no monetary reward was issued for it.
“Google is aware that an exploit for CVE-2023-2136 exists in the wild,” the internet giant notes in its advisory.
CVE-2023-2136 is the second zero-day vulnerability resolved in Chrome this year, after CVE-2023-2033, a type confusion issue in the V8 JavaScript engine, was addressed with an emergency patch last week.
Tomi Engdahl says:
Bill Toulas / BleepingComputer:
NCC Group measured a record 459 ransomware attacks in March 2023, up 91% MoM and 62% YoY, saying the surge is likely due to exploits of Fortra’s GoAnywhere MFT
March 2023 broke ransomware attack records with 459 incidents
https://www.bleepingcomputer.com/news/security/march-2023-broke-ransomware-attack-records-with-459-incidents/
Tomi Engdahl says:
Tom Warren / The Verge:
Microsoft starts naming threat actor groups after weather events, like typhoon, sandstorm, and blizzard; each name represents a nation state or a motivation — Microsoft has started naming hackers after the weather in a new naming taxonomy update. Hackers will now be named after events like storms …
Microsoft is giving hackers weather-themed names like storm, typhoon, and blizzard
/ Crimson Sandstorm isn’t a fancy new Surface color — it’s Iranian state-aligned hackers.
https://www.theverge.com/2023/4/19/23689456/microsoft-weather-cybersecurity-threat-actors-naming