This posting is here to collect cyber security news in June 2023.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in June 2023.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
323 Comments
Tomi Engdahl says:
Data leak at major law firm sets Australia’s government and elites scrambling https://www.theregister.com/2023/06/20/hwl_ebsworth_cyber_incident/
An infosec incident at a major Australian law firm has sparked fear among the nation’s governments, banks and businesses – and a free speech debate.
The firm, HWL Ebsworth, has acknowledged that on April 28, “we became aware that a threat actor identified as ALPHV/BlackCat made a post on a dark web forum claiming to have exfiltrated data from HWL Ebsworth.”
Tomi Engdahl says:
Potential Risk of Privilege Escalation in Azure AD Applications https://msrc.microsoft.com/blog/2023/06/potential-risk-of-privilege-escalation-in-azure-ad-applications/
Microsoft has developed mitigations for an insecure anti-pattern used in Azure AD (AAD) applications highlighted by Descope, and reported to Microsoft, where use of the email claim from access tokens for authorization can lead to an escalation of privilege. An attacker can falsify the email claim in tokens issued to applications. Additionally, the threat of data leakage exists if applications use such claims for email lookup.
https://www.bleepingcomputer.com/news/security/microsoft-fixes-azure-ad-auth-flaw-enabling-account-takeover/
Tomi Engdahl says:
Group-IB Discovers 100K+ Compromised ChatGPT Accounts on Dark Web Marketplaces; Asia-Pacific region tops the list https://www.group-ib.com/media-center/press-releases/stealers-chatgpt-credentials/
Group-IB has identified 101,134 stealer-infected devices with saved ChatGPT credentials. Group-IB’s experts highlight that more and more employees are taking advantage of the Chatbot to optimize their work, be it software development or business communications. By default, ChatGPT stores the history of user queries and AI responses. Consequently, unauthorized access to ChatGPT accounts may expose confidential or sensitive information, which can be exploited for targeted attacks against companies and their employees.
https://www.bitdefender.com/blog/hotforsecurity/100-000-hacked-chatgpt-accounts-up-for-sale-on-the-dark-web/
https://www.theregister.com/2023/06/20/stolen_chatgpt_accounts/
Tomi Engdahl says:
Russian APT28 hackers breach Ukrainian govt email servers https://www.bleepingcomputer.com/news/security/russian-apt28-hackers-breach-ukrainian-govt-email-servers/
A threat group tracked as APT28 and linked to Russia’s General Staff Main Intelligence Directorate (GRU) has breached Roundcube email servers belonging to multiple Ukrainian organizations, including government entities.
https://therecord.media/russia-fancy-bear-hackers-targeted-ukraine
Tomi Engdahl says:
Unpacking RDStealer: An Exfiltration Malware Targeting RDP Workloads https://www.bitdefender.com/blog/businessinsights/unpacking-rdstealer-an-exfiltration-malware-targeting-rdp-workloads/
In June 2023, Bitdefender Labs published a research paper about espionage operation in East Asia. This operation was ongoing since at least the beginning of 2022, showing a high level of sophistication typically associated with state-sponsored groups. The most interesting discovery in this research is a new custom malware we named RDStealer. This server-side implant is monitoring incoming Remote Desktop Protocol (RDP) connections with client drive mapping enabled. Connecting RDP clients are infected with Logutil backdoor (another custom malware), and sensitive data (such as credentials or private keys) is exfiltrated.
https://thehackernews.com/2023/06/experts-uncover-year-long-cyber-attack.html
https://www.bleepingcomputer.com/news/security/new-rdstealer-malware-steals-from-drives-shared-over-remote-desktop/
Tomi Engdahl says:
‘Sign in to continue’ and suffer : Attackers abusing legitimate services for credential theft https://blog.checkpoint.com/security/sign-in-to-continue-and-suffer-attackers-abusing-legitimate-services-for-credential-theft/
Check Point Research (CPR) detected an ongoing phishing campaign that uses legitimate services for credential harvesting and data exfiltration in order to evade detection.
HTML files are one of the most common attack vectors and are used by attackers for phishing, and other scams.
Tomi Engdahl says:
Russian APT Group Caught Hacking Roundcube Email Servers
https://www.securityweek.com/russian-apt-group-caught-hacking-roundcube-email-servers/
A Russian hacking group has been caught hacking into Roundcube servers to spy on government institutions and military entities in Ukraine.
Tomi Engdahl says:
Researchers Flag Account Takeover Flaw in Microsoft Azure AD OAuth Apps
https://www.securityweek.com/researchers-flag-account-takeover-flaw-in-microsoft-azure-ad-oauth-apps/
Businesses using ‘Log in with Microsoft’ could be exposed to privilege escalation and full account takeover exploits.
Researchers at security startup Descope have discovered a major misconfiguration in Microsoft Azure AD OAuth applications and warned that any business using ‘Log in with Microsoft’ could be exposed to full account takeover exploits.
The security defect, nicknamed nOAuth, is described as an authentication implementation flaw that can affect Microsoft Azure AD multi-tenant OAuth applications.
According to an advisory documenting the issue, Descope noted that a malicious actor can modify email attributes in Microsoft Azure AD accounts and exploit the one-click “Log in with Microsoft” feature with the email address of any victim they want to impersonate.
nOAuth: How Microsoft OAuth Misconfiguration Can Lead to Full Account Takeover
https://www.descope.com/blog/post/noauth
This blog will cover how the Descope security team discovered a gray area in Microsoft Azure AD OAuth applications that could lead to full account takeover. We are naming this configuration issue “nOAuth” because even the bleakest of days has some room for wordplay.
Reach out to our security team if you believe your app is vulnerable to nOAuth and need assistance. Read on to understand how this configuration issue arises, its impact, and suggested remediation steps.
Tomi Engdahl says:
VMware Confirms Live Exploits Hitting Just-Patched Security Flaw
https://www.securityweek.com/vmware-confirms-live-exploits-hitting-just-patched-security-flaw/
VMware updates a critical-level bulletin: “VMware has confirmed that exploitation of CVE-2023-20887 has occurred in the wild.”
Less than two weeks after shipping urgent patches to cover security defects in its Aria Operations for Networks product, VMware says hackers have started launching exploits in the wild.
The virtualization technology giant on Tuesday updated a critical-level bulletin with a blunt warning to businesses running the network monitoring software: “VMware has confirmed that exploitation of CVE-2023-20887 has occurred in the wild.”
The live exploits, first flagged by GreyNoise, target the CVE-2023-20887 command injection vulnerability that carries a CVSS severity score of 9.8/10.
“A malicious actor with network access to VMware Aria Operations for Networks may be able to perform a command injection attack resulting in remote code execution,” VMware said in an advisory released earlier this month.
https://viz.greynoise.io/tag/vmware-aria-operations-for-networks-rce-attempt?days=30
Tomi Engdahl says:
OT:Icefall: Vulnerabilities Identified in Wago Controllers
https://www.securityweek.com/oticefall-vulnerabilities-identified-in-wago-controllers/
Forescout Technologies has disclosed the details of vulnerabilities impacting operational technology (OT) products from Wago and Schneider Electric.
Forescout Technologies has disclosed the details of three vulnerabilities impacting operational technology (OT) products from Wago and Schneider Electric.
The flaws were identified as part of the OT:Icefall research that has led to the public disclosure of 61 vulnerabilities impacting more than 100 OT products from 13 vendors.
After an initial set of 56 vulnerabilities disclosed in June 2022, Forescout shared the details of three more flaws in November 2022, and is now adding two new bugs to the list, while also sharing information on a previously identified but not disclosed issue.
Tracked as CVE-2023-1619 and CVE-2023-1620, the new vulnerabilities impact Wago 750 controllers using the Codesys v2 runtime and could be exploited by an authenticated attacker to cause a denial-of-service (DoS) condition, Forescout says.
The first issue is the result of a poor implementation of protocol parsers, while the second is an insufficient session expiration bug. The two flaws can be exploited by an authenticated attacker to crash a device, by sending a malformed packet or specific requests after being logged out, respectively.
Tomi Engdahl says:
New ‘RDStealer’ Malware Targets RDP Connections
https://www.securityweek.com/new-rdstealer-malware-targets-rdp-connections/
Bitdefender finds new malware capable of monitoring incoming RDP connections and infect the connecting clients that have client drive mapping enabled.
A state-sponsored espionage campaign is leveraging new custom malware to monitor incoming remote desktop protocol (RDP) connections and infect connecting clients with a backdoor, according to a warning from security firm Bitdefender.
The campaign has been operational since the beginning of 2022 and appears aligned with the interest of China-based threat actors, the company said in a blog post documenting the malware activity.
Bearing the hallmarks of a state-sponsored group, Bitdefender said the espionage campaign stands out with two custom tools written in the Go programming language — the Logutil backdoor and the RDStealer malware.
Tomi Engdahl says:
Tokmanni paljasti sähköpostitse asiakkaiden tietoja – koskee jopa 400 000 ihmistä
https://www.is.fi/digitoday/tietoturva/art-2000008859502.html
Tokmannin palveluntarjoajan virhe koskettaa kaikkiaan noin 400 000 kauppaketjun asiakkaan sähköpostiosoitetta, mutta vahinko voi olla tätä laajempi.
2.6.2022 13:16
Kauppaketju Tokmanni varoittaa asiakkaitaan viikonloppuna tapahtuneesta virheestä uutiskirjeiden lähettämisessä tilaajien sähköposteihin. Yksi asiakas julkaisi Twitterissä Tokmannin viestin, jonka mukaan osa uutiskirjeistä lähti väärällä etunimellä ja/tai sähköpostiosoitteella.
Tokmannin sijoittajasuhde- ja viestintäpäällikkö Maarit Mikkosen mukaan asiakas on voinut saada esimerkiksi viestin, joka alkaa väärällä etunimellä tyyliin “Hei Mikko” ja sitten kaikki muu on oikein. Tai sitten siellä on ollut mukana viestejä, jotka alkavat Hei Mikko ja aivan viestin alareunassa on hänen sähköpostiosoitteensa.
Tomi Engdahl says:
Apple addresses two zero-days exploited in Operation Triangulation spyware campaign https://therecord.media/apple-patch-zero-days-exploited-in-spyware-campaign
Apple has released patches for two zero-days exploited in a spyware campaign that the Russian government has blamed on the U.S. The campaign, dubbed Operation Triangulation, was publicized by the Moscow-based cybersecurity company Kaspersky in early June after the malware was detected on iPhones within its network, as well as on Wednesday in new research describing how the spyware behaves. It has been active since 2019 and attacks its targets by sending iMessages with malicious attachments.
Dissecting TriangleDB, a Triangulation spyware implant:
https://securelist.com/triangledb-triangulation-implant/110050/
https://www.bleepingcomputer.com/news/apple/apple-fixes-zero-days-used-to-deploy-triangulation-spyware-via-imessage/
Tomi Engdahl says:
Exclusive: TikTok Confirms Some U.S. User Data Is Stored In China https://www.forbes.com/sites/alexandralevine/2023/06/21/tiktok-confirms-data-china-bytedance-security-cfius/
TikTok has acknowledged to the U.S. government that sensitive information about American creators who sign up to earn money through the app is stored in China. A Forbes investigation found that TikTok has stored the financial information of its biggest American and European stars—including those in the TikTok Creator Fund—on servers in China.
Tomi Engdahl says:
Oreo maker Mondelez staff hit by data breach at third-party law firm https://www.bitdefender.com/blog/hotforsecurity/oreo-maker-mondelez-staff-hit-by-data-breach-at-third-party-law-firm/
Snack giant Mondelez is warning past and present employees that their personal information may now be in the hands of hackers following a data breach at a third-party firm.
Tomi Engdahl says:
3CX data exposed, third-party to blame
https://cybernews.com/security/3cx-data-leak-third-party/
A third-party vendor of 3CX, a popular Voice over Internet Protocol (VoIP) comms provider, left an open server and exposed sensitive 3CX data. The issue went under the company’s radar, even though it was recently targeted by North Korean hackers.
Tomi Engdahl says:
Norton Parent Says Employee Data Stolen in MOVEit Ransomware Attack https://www.securityweek.com/norton-parent-says-employee-data-stolen-in-moveit-ransomware-attack/
Gen Digital, the company behind known cybersecurity brands such as Avast, Avira, AVG, Norton, and LifeLock, has confirmed that employee’s personal information was compromised in the recent MOVEit ransomware attack.
https://therecord.media/moveit-vulnerabilities-attacks-gen-norton-vancouver-missouri
Tomi Engdahl says:
Condi DDoS Botnet Spreads via TP-Link’s CVE-2023-1389
https://www.fortinet.com/blog/threat-research/condi-ddos-botnet-spreads-via-tp-links-cve-2023-1389
FortiGuard Labs encountered recent samples of a DDoS-as-a-service botnet calling itself Condi. It attempted to spread by exploiting TP-Link Archer AX21
(AX1800) routers vulnerable to CVE-2023-1389, which was disclosed in mid-March of this year. We have additionally observed an increasing number of Condi samples collected from our monitoring systems since the end of May 2023, indicating an active attempt to expand the botnet.
This blog details the capabilities of this botnet.
Tomi Engdahl says:
Beware bad passwords as attackers co-opt Linux servers into cybercrime https://nakedsecurity.sophos.com/2023/06/21/beware-bad-passwords-as-attackers-co-opt-linux-servers-into-cybercrime/
Researchers at Korean anti-malware business AhnLab are warning about an old-school attack that they say they’re seeing a lot of these days, where cybercriminals guess their way into Linux shell servers and use them as jumping-off points for further attacks, often against innocent third parties.
Tomi Engdahl says:
Chinese APT15 hackers resurface with new Graphican malware https://www.bleepingcomputer.com/news/security/chinese-apt15-hackers-resurface-with-new-graphican-malware/
The Chinese state-sponsored hacking group tracked as APT15 has been observed using a novel backdoor named ‘Graphican’ in a new campaign between late 2022 and early 2023.
APT15, also known as Nickel, Flea, Ke3Chang, and Vixen Panda, are Chinese state hackers targeting important public and private organizations worldwide since at least 2004.
https://therecord.media/apt15-nickel-graphican-backdoor
Tomi Engdahl says:
Kremlin-backed hacking group puts fresh emphasis on stealing credentials https://therecord.media/nobelium-hacking-group-stealing-credentials
Microsoft has detected an increase in credential-stealing attacks conducted by the Russian state-affiliated hacker group often labeled as APT29, Cozy Bear or Nobelium. These attacks are directed at governments, IT service providers, nongovernmental organizations (NGOs), and defense and critical manufacturing industries.
Tomi Engdahl says:
Discord-vuodosta epäilty kiistää syyllisyytensä – jää odottamaan oikeudenkäyntiä vankilaan
https://www.is.fi/ulkomaat/art-2000009673214.html
21-vuotiasta Jack Teixeiraa syytetään kansalliseen puolustukseen liittyvien tietojen säilyttämisestä ja välittämisestä. Häntä voi odottaa jopa kymmenien vuosien vankeustuomio.
Tomi Engdahl says:
Enphase Ignores CISA Request to Fix Remotely Exploitable Flaws
https://www.securityweek.com/enphase-ignores-cisa-request-to-fix-remotely-exploitable-flaws/
Enphase Energy has ignored CISA requests to fix remotely exploitable vulnerabilities in Enphase products.
The US Cybersecurity and Infrastructure Security Agency (CISA) this week issued advisories detailing two unpatched vulnerabilities in Enphase products.
An American energy technology company, Enphase builds and sells solar micro-inverters, charging stations, and other energy equipment, mainly focused on residential customers.
On Tuesday, CISA published two ICS advisories to warn of vulnerabilities in Enphase products that could lead to information leaks or command execution. Both are said to be remotely exploitable with low attack complexity.
Tracked as CVE-2023-32274 (CVSS score of 8.6), the first of the flaws impacts the Enphase Installer Toolkit, a mobile solution that aids with the installation and configuration of Enphase Systems.
The application also allows users to connect to the Enphase Envoy communication gateway over wireless networks to perform system setups, and allows them to view system status.
Tomi Engdahl says:
Critical WordPress Plugin Vulnerabilities Impact Thousands of Sites
https://www.securityweek.com/critical-wordpress-plugin-vulnerabilities-impact-thousands-of-sites/
Two critical-severity authentication bypass vulnerabilities in WordPress plugins with tens of thousands of installations.
Web application security firm Defiant warns of critical-severity authentication bypass vulnerabilities in two WordPress plugins with tens of thousands of installations.
The first security defect, tracked as CVE-2023-2986 (CVSS score of 9.8/10), impacts the Abandoned Cart Lite for WooCommerce, a plugin that notifies customers who did not complete the purchase process, and which has more than 30,000 active installations.
The issue has been patched in Abandoned Cart Lite for WooCommerce version 5.15.1, which was released on June 13. Based on WordPress statistics, tens of thousands of websites have not yet applied the fix.
On Tuesday, Defiant also raised an alarm on a critical-severity vulnerability – CVE-2023-2834 (CVSS severity score 9.8/10) – in BookIt, a WordPress plugin with more than 10,000 active installations.
Tomi Engdahl says:
Asus Patches Highly Critical WiFi Router Flaws
https://www.securityweek.com/asus-patches-highly-critical-wifi-router-flaws/
Asus patched nine WiFi router security defects, including a highly critical 2018 vulnerability that exposes users to code execution attacks.
Tomi Engdahl says:
Chrome and Its Vulnerabilities – Is the Web Browser Safe to Use?
https://www.securityweek.com/chrome-and-its-vulnerabilities-is-the-web-browser-safe-to-use/
Why are there so many vulnerabilities in Chrome? Is it realistically safe to use? Can Google do anything to make the web browser safer?
Like all major applications, Google’s Chrome suffers from vulnerabilities. During 2022, SecurityWeek reported on 456 vulnerabilities (averaging 38 per month), including nine zero-days. The high number of flaws needing to be patched poses a simple question: is Chrome safe to use?
This high rate of vulnerability disclosures and patches has continued into 2023. Chrome 109 patched 17 and six vulnerabilities in January. Chrome 110 patched 15 vulnerabilities in February; version 111 patched 40 and 8 in March; and version 112 patched 16 in April. April also saw a patch for the second zero-day vulnerability of 2023. Chrome 113 patched 15 vulnerabilities in May, followed by a further 12 vulnerabilities. June started with the third of 2023’s zero-day patches, in Chrome 114, and this was followed by a further 5 patches.
The list is so long it almost becomes boringly repetitive – but it will undoubtedly continue growing through the rest of the year and beyond. The questions raised, however, are not boring. Why are there so many vulnerabilities? Is Chrome realistically safe to use? Can Google do anything to make the product safer? Can users do anything to increase their safety? SecurityWeek talked to Tal Zamir, the CTO at Tel Aviv, Israel-based Perception Point (a detection and response vendor covering major threat surfaces including browsers).
The primary reason for the number of vulnerabilities is basically just statistics. It’s a combination of the size of the codebase, the attraction of the target, and the number of people who use it. “Over the years, Chrome has grown into a huge codebase – almost an operating system like Windows in its size, because it has so many features under the hood,” said Zamir.
The larger the codebase, the greater the number of vulnerabilities. That’s a reality of computing. The more an application is used, the greater the number of attackers looking for ways to attack it. This will include both criminals and nation states and is again inescapable. It’s worth noting that according to Statcounter (May 2023), Chrome had a 62.87% share of the global browser market. Safari was second with 20.7%, while Edge came in third with just 5.32%.
We cannot expect Google to do more to secure its code. This again is an inescapable feature of business life. Google would have to reduce both the quantity and speed with which it introduces new features, and that goes against the grain of ensuring and perhaps increasing market share. Microsoft has always been in catch-up mode for browsers, but now there is a full-fledged battle over the best (that is, most profitable) integration of AI into their products.
“Microsoft is giving Google a real fight,” said Zamir. “This is especially in the enterprise space but also for consumers who are tempted to go with the Microsoft bundles. I predict that it will become even harder for Google to fight and keep its first place in the browser space. In this fight, it will add new features and try to innovate even faster. When you do this, you typically put security as a secondary consideration. Speed is the need – you need to be in front of the users with shiny new things, and security might lag. It doesn’t mean that Google will neglect security. It definitely invests in the security of Chrome – but I think security will be secondary to the new features.”
Where Google cannot be criticized is over its reactive approach to Chrome security. The policy is to seek (by its own research teams and bug bounty program), and then remedy and patch vulnerabilities before they can be abused by attackers.
This is a reactive rather than proactive approach. While Google itself is largely forced by business realities to be reactive on security – and most companies are in the same position – the user can take a more proactive approach. This inevitably involves the addition of specialist security products, such as that from Perception Point, to protect the application and its use.
This raises one further question – if small security firms can protect Chrome, why cannot Google (one of the largest developers in the world) develop similar protection inside Chrome? “Google definitely could,” said Zamir, “if it was willing to invest many years of engineering.”
Technically, it is possible, but economically it is infeasible. We come back to the ‘shiny new thing’ image. For Chrome, the shiny new things are the additional features that make it attractive to users. Invisibly embedded complex security controls do not qualify as shiny new things, so will always be pushed down the priority line. But for a third party security vendor, security is the shiny thing.
Tomi Engdahl says:
Sergiu Gatlan / BleepingComputer:
Apple patches three zero-days in its operating systems, including Operation Triangulation iMessage exploit described by Kaspersky earlier in June — Apple addressed three new zero-day vulnerabilities exploited in attacks installing Triangulation spyware on iPhones via iMessage zero-click exploits.
Apple fixes zero-days used to deploy Triangulation spyware via iMessage
https://www.bleepingcomputer.com/news/apple/apple-fixes-zero-days-used-to-deploy-triangulation-spyware-via-imessage/
Apple addressed three new zero-day vulnerabilities exploited in attacks installing Triangulation spyware on iPhones via iMessage zero-click exploits.
“Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.7,” the company says when describing Kernel and WebKit vulnerabilities tracked as CVE-2023-32434 and CVE-2023-32435.
The two security flaws were found and reported by Kaspersky security researchers Georgy Kucherin, Leonid Bezvershenko, and Boris Larin.
Tomi Engdahl says:
TikTok’s Answer to Security Concerns? Grant Oracle Full Source Code Access
Oracle will also have access to TikTok’s algorithm and content-moderation material.
https://uk.pcmag.com/social-media/146987/tiktoks-answer-to-security-concerns-grant-oracle-full-source-code-access
Tomi Engdahl says:
UPS discloses data breach after exposed customer info used in SMS phishing
https://www.bleepingcomputer.com/news/security/ups-discloses-data-breach-after-exposed-customer-info-used-in-sms-phishing/
Tomi Engdahl says:
https://www.androidpolice.com/malware-android-vpn-ddos-botnet/
Tomi Engdahl says:
Over 100,000 ChatGPT accounts stolen and sold on dark web
News
By Craig Hale published 1 day ago
Asia-Pacific ChatGPT accounts hit the worst, but the US wasn’t immune
https://www.techradar.com/pro/over-100000-chatgpt-accounts-stolen-and-sold-on-dark-web
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/new-condi-malware-builds-ddos-botnet-out-of-tp-link-ax21-routers/
Tomi Engdahl says:
Miestä syytettiin Facebookissa terroristiksi sekä vakoojaksi – Meta hidasteli, ja kohta mies olikin jo ammuttu
24.6.202319:01
Tutkijan ystävällä oli suora linjan Metan moderointiin, josta hän pyysi apua. Asemiehet olivat kuitenkin nopeampia.
https://www.mikrobitti.fi/uutiset/miesta-syytettiin-facebookissa-terroristiksi-seka-vakoojaksi-meta-hidasteli-ja-kohta-mies-olikin-jo-ammuttu/0749d195-a135-4e64-9413-c50b71444c18
Arvostettu irakilainen historioitsija Hisham al-Hashimi ammuttiin kotinsa eteen Bagdadissa vuonna 2020.
Al-Hashimi oli kritisoinut Irakissa toimivia aseellisia ryhmittymiä, ja oli vahvasti verkostoitunut maan valtaryhmien keskuudessa. Hän tunsi ihmisiä niin hallituksesta kuin oppositiostakin.
An Iraqi historian was slain after being labeled a spy on Facebook. Exclusive emails show catastrophic delays in removing threatening posts.
https://www.businessinsider.com/metas-moderation-is-failing-and-people-are-getting-killed-2023-6
Tomi Engdahl says:
APT37 hackers deploy new FadeStealer eavesdropping malware https://www.bleepingcomputer.com/news/security/apt37-hackers-deploy-new-fadestealer-eavesdropping-malware/
The North Korean APT37 hacking group uses a new ‘FadeStealer’
information-stealing malware containing a ‘wiretapping’ feature, allowing the threat actor to snoop and record from victims’ microphones.
https://thehackernews.com/2023/06/scarcruft-hackers-exploit-ably-service.html
APT37, also known as StarCruft, Reaper, or RedEyes, is believed to be a state-sponsored hacking group with a long history of conducting cyber espionage attacks aligned with North Korean interests. These attacks target North Korean defectors, educational institutions, and EU-based organizations.
In the past, the hackers were known to utilize custom malware called ‘Dolphin’ and ‘M2RAT’ to execute commands and steal data, credentials, and screenshots from Windows devices and even connected mobile phones.
It starts with a CHM file
In a new report from the AhnLab Security Emergency Response Center (ASEC), researchers provide information on new custom malware dubbed ‘AblyGo backdoor’ and ‘FadeStealer’ that the threat actors use in cyber espionage attacks.
The malware is believed to be delivered using phishing emails with attached archives containing password-protected Word and Hangul Word Processor documents (.docx and .hwp files) and a ‘password.chm’ Windows CHM file.
ASEC believes that the phishing emails instruct the recipient to open the CHM file to obtain the password for the documents, which begins the infection process on the Windows device.
Once the CHM file is opened, it will display the alleged password to open the document but also quietly downloads and executes a remote PowerShell script that contains backdoor functionality and is registered to autostart with Windows.
This PowerShell backdoor communicates with the attackers’ command and control servers and executes any commands sent by the attackers.
Tomi Engdahl says:
VMware fixes vCenter Server bugs allowing code execution, auth bypass https://www.bleepingcomputer.com/news/security/vmware-fixes-vcenter-server-bugs-allowing-code-execution-auth-bypass/
VMware has addressed multiple high-severity security flaws in vCenter Server, which can let attackers gain code execution and bypass authentication on unpatched systems.
vCenter Server is the control center for VMware’s vSphere suite and a server management solution that helps admins manage and monitor virtualized infrastructure
Tomi Engdahl says:
GitHub Dataset Research Reveals Millions Potentially Vulnerable to RepoJacking https://www.bleepingcomputer.com/news/security/millions-of-github-repos-likely-vulnerable-to-repojacking-researchers-say/
Username and repository name changes are frequent on GitHub, as organizations can get new management through acquisition or merger, or they can switch to a new brand name.
When this happens, a redirection is created to avoid breaking dependencies for projects using code from repositories that changed their name; however, if someone registers the old name, that redirection becomes invalid.
RepoJacking is an attack where a malicious actor registers a username and creates a repository used by an organization in the past but which has since changed its name.
Tomi Engdahl says:
CISA orders govt agencies to patch bugs exploited by Russian hackers https://www.bleepingcomputer.com/news/security/cisa-orders-govt-agencies-to-patch-bugs-exploited-by-russian-hackers/
On Thursday, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added six more security flaws to its known exploited vulnerabilities (KEV) list.
Three of them were exploited by Russian APT28 cyberspies to hack into Roundcube email servers belonging to Ukrainian government organizations.
While the KEV catalog’s primary focus is alerting federal agencies of exploited vulnerabilities that must be patched as soon as possible, it is also highly advised that private companies worldwide prioritize addressing these bugs.
Tomi Engdahl says:
CISA orders agencies to patch iPhone bugs abused in spyware attacks https://www.bleepingcomputer.com/news/security/cisa-orders-agencies-to-patch-iphone-bugs-abused-in-spyware-attacks/
Today, CISA ordered federal agencies to patch recently patched security vulnerabilities exploited as zero-days to deploy Triangulation spyware on iPhones via iMessage zero-click exploits.
The warning comes after Kaspersky published a report detailing a Triangulation malware component used in a campaign it tracks as “Operation Triangulation.”
Kaspersky says it found the spyware on iPhones belonging to employees in its Moscow office and from other countries. The attacks started in 2019 and are still ongoing, according to the company, and they use iMessage zero-click exploits that exploit the now-patched iOS zero-day bugs.
—
Tomi Engdahl says:
MOVEIt breach impacts GenWorth, CalPERS as data for 3.2 million exposed https://www.bleepingcomputer.com/news/security/moveit-breach-impacts-genworth-calpers-as-data-for-32-million-exposed/
PBI Research Services (PBI) has suffered a data breach with three clients disclosing that the data for 4.75 million people was stolen in the recent MOVEit Transfer data-theft attacks.
These attacks started on May 27th , 2023, when the Clop ransomware gang began exploiting a MOVEit Transfer zero-day vulnerability to allegedly steal data from hundreds of companies.
Over the past week, the Clop gang began extorting companies by slowly listing impacted organizations on its data leak site as they attempt to pressure victims to pay a ransom demand.
Tomi Engdahl says:
LockBit Green and phishing that targets organizations https://securelist.com/crimeware-report-lockbit-switchsymb/110068/
In recent months, we published private reports on a broad range of subjects.
We wrote about malware targeting Brazil, about CEO fraud attempts, Andariel, LockBit and others. For this post, we selected three private reports, namely those related to LockBit and phishing campaigns targeting businesses, and prepared excerpts from these.
In contrast to BEC campaigns that are targeted and require significant effort from the criminals, ordinary phishing campaigns are relatively simple. This creates opportunities for automation, of which the SwitchSymb phishing kit is one example.
Tomi Engdahl says:
Grafana warns of critical auth bypass due to Azure AD integration https://www.bleepingcomputer.com/news/security/grafana-warns-of-critical-auth-bypass-due-to-azure-ad-integration/
Grafana has released security fixes for multiple versions of its application, addressing a vulnerability that enables attackers to bypass authentication and take over any Grafana account that uses Azure Active Directory for authentication.
Grafana is a widely used open-source analytics and interactive visualization app that offers extensive integration options with a wide range of monitoring platforms and applications.
The bug is caused by Grafana authenticating Azure AD accounts based on the email address configured in the associated ‘profile email’ setting. However, this setting is not unique across all Azure AD tenants, allowing threat actors to create Azure AD accounts with the same email address as legitimate Grafana users and use them to hijack accounts.
Tomi Engdahl says:
University of Manchester confirms data theft in recent cyberattack https://www.bleepingcomputer.com/news/security/university-of-manchester-confirms-data-theft-in-recent-cyberattack/
The University of Manchester finally confirmed that attackers behind a cyberattack disclosed in early June had stolen data belonging to alums and current students.
The university first disclosed the attack on June 9, warning that data was likely stolen but said the incident was unrelated to the MOVEit Transfer data theft attacks.
Tomi Engdahl says:
American Airlines, Southwest Airlines disclose data breaches affecting pilots https://www.bleepingcomputer.com/news/security/american-airlines-southwest-airlines-disclose-data-breaches-affecting-pilots/
American Airlines and Southwest Airlines, two of the largest airlines in the world, disclosed data breaches on Friday caused by the hack of Pilot Credentials, a third-party vendor that manages multiple airlines’ pilot applications and recruitment portals.
Both airlines were informed of the Pilot Credentials incident on May 3, which was limited solely to the systems of the third-party vendor, with no compromise or impact on the airlines’ own networks or systems.
An unauthorized individual gained access to Pilot Credentials’ systems on April 30 and stole documents containing information provided by certain applicants in the pilot and cadet hiring process.
Tomi Engdahl says:
Twitter Hacker Sentenced to 5 Years in Prison for $120,000 Crypto Scam https://thehackernews.com/2023/06/twitter-hacker-sentenced-to-5-years-in.html
A U.K. citizen who took part in the massive July 2020 hack of Twitter has been sentenced to five years in prison in the U.S.
Joseph James O’Connor (aka PlugwalkJoe), 24, was awarded the sentence on Friday in the Southern District of New York, a little over a month after he pleaded guilty to the criminal schemes. He was arrested in Spain in July 2021.
The infamous Twitter breach allowed the defendant and his co-conspirators to obtain unauthorized access to backend tools used by Twitter, abusing them to hijack 130 popular accounts to perpetrate a crypto scam that netted them about
$120,000 in illegal profits.
Tomi Engdahl says:
Checkmate: What Chess Taught Me About Cyber Resilience https://www.forbes.com/sites/forbestechcouncil/2023/06/23/checkmate-what-chess-taught-me-about-cyber-resilience/
In the game of chess, every single move contributes to the overall outcome.
All 16 pawns—the queen, knights, bishops and others—provide unique value to a player. The queen is the most powerful piece of the game and, if used strategically, can protect every other piece.
When investing in cybersecurity, CISOs must strategically place every resource in the right spot. Making the right moves at the right time will ensure the tools, people, practices and processes they invest in can protect their systems, networks and data from a cyberattack or data breach.
Making strategic moves is critical in building a successful and secure business.
A chess player must outsmart their opponent by predicting their next move and subsequently making a move to counteract their opponent. In cybersecurity, security teams must think ahead by putting themselves in the adversary’s shoes.
Tomi Engdahl says:
IoT devices and Linux-based systems targeted by OpenSSH trojan campaign https://www.microsoft.com/en-us/security/blog/2023/06/22/iot-devices-and-linux-based-systems-targeted-by-openssh-trojan-campaign/
Cryptojacking, the illicit use of computing resources to mine cryptocurrency, has become increasingly prevalent in recent years, with attackers building a cybercriminal economy around attack tools, infrastructure, and services to generate revenue from targeting a wide range of vulnerable systems, including Internet of Things (IoT) devices.Microsoft researchers have recently discovered an attack leveraging custom and open-source tools to target internet-facing Linux-based systems and IoT devices. The attack uses a patched version of OpenSSH to take control of impacted devices and install cryptomining malware.
Tomi Engdahl says:
USB Drives Used as Trojan Horses By Camaro Dragon https://www.infosecurity-magazine.com/news/usb-trojan-camaro-dragon/
New versions of Chinese espionage malware have been observed spreading rapidly through infected USB drives.
The malicious software tools were discovered by Check Point Research (CPR) as part of an attack against a healthcare institution in Europe and described in an advisory published on Thursday.
The Check Point Incident Response Team (CPIRT) investigated the malware attack and found that it was perpetrated by Camaro Dragon, a Chinese-based espionage threat actor also known as Mustang Panda and LuminousMoth.
Tomi Engdahl says:
Trojanized Super Mario game used to install Windows malware https://www.bleepingcomputer.com/news/security/trojanized-super-mario-game-used-to-install-windows-malware/
A trojanized installer for the popular Super Mario 3: Mario Forever game for Windows has been infecting unsuspecting players with multiple malware infections.
Super Mario 3: Mario Forever is a free-to-play remake of the classic Nintendo game developed by Buziol Games and released for the Windows platform in 2003.
The game became very popular, downloaded by millions, who praised it for featuring all the mechanics of the classic Mario series but with updated graphics and modernized styling and sound.
If you have recently downloaded Super Mario 3: Mario Forever, you should scan your computer for installed malware and remove any that are detected.
Tomi Engdahl says:
Microsoft Teams Attack Skips the Phish to Deliver Malware Directly https://www.darkreading.com/vulnerabilities-threats/microsoft-teams-attack-phish-deliver-malware-directly
A bug in the latest version of Microsoft Teams allows for external sources to send files to an organization’s employees even though the application typically blocks such activity, researchers have found. This give threat actors an alternative to complex and expensive phishing campaigns to deliver malware into target organizations — but Microsoft won’t be addressing it as a priority.
Tomi Engdahl says:
Jessica Gould / Gothamist:
NYC says the MOVEit flaw exposed ~45K students’ data, following March 2022′s breach of ~820K students’ data via the Illuminate Education grading software hack
Another data breach at NYC schools exposes student and staff information
https://gothamist.com/news/another-data-breach-at-nyc-schools-exposes-student-and-staff-information
The New York City Department of Education estimates that the personal data of some 45,000 students was compromised as part of a breach involving the file transfer software MOVEit.
Officials said the compromised data includes social security numbers, birth dates and certain student evaluations, though the specific types of data breached varies per student. Employees’ information was also affected, officials said, but they did not identify how many staff members were involved. No education department data has been published as a result of the breach so far, officials said, and the department will begin notifying those affected this summer.
Multiple federal agencies and many companies were also affected by the breach, which is being attributed to Russian cybercriminals.
“The safety and security of our students and staff, including their personal information and data, is of the utmost importance for the New York City Department of Education,” said department spokesperson Nathaniel Styer. “Currently we have no reason to believe there is ongoing unauthorized access to DOE systems.”