This posting is here to collect cyber security news in September 2023.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in September 2023.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
314 Comments
Tomi Engdahl says:
https://www.securityweek.com/in-other-news-lastpass-vault-hacking-russia-targets-ukraine-energy-facility-nxp-breach/
Tomi Engdahl says:
https://www.securityweek.com/cisco-asa-zero-day-exploited-in-akira-ransomware-attacks/
Tomi Engdahl says:
https://www.securityweek.com/apple-patches-actively-exploited-ios-macos-zero-days/
Tomi Engdahl says:
US Aeronautical Organization Hacked via Zoho, Fortinet Vulnerabilities
APTs exploited vulnerabilities in Zoho ManageEngine and Fortinet VPNs to hack an aerospace organization in early January 2023.
Tomi Engdahl says:
Powerful Ethnic Militia in Myanmar Repatriates 1,200 Chinese Suspected of Involvement in Cybercrime
One of Myanmar’s biggest and most powerful ethnic minority militias arrested and repatriated more than 1,200 Chinese nationals allegedly involved in criminal online scam operations.
https://www.securityweek.com/powerful-ethnic-militia-in-myanmar-repatriates-1200-chinese-suspected-of-involvement-in-cybercrime/
Tomi Engdahl says:
Mobile & Wireless
Android Zero-Day Patched With September 2023 Security Updates
Android’s September 2023 security update resolves a high-severity elevation of privilege vulnerability exploited in malicious attacks
https://www.securityweek.com/android-zero-day-patched-with-september-2023-security-updates/
Tomi Engdahl says:
https://www.securityweek.com/new-phishing-campaign-launched-via-google-looker-studio/
Tomi Engdahl says:
Google fixes another Chrome zero-day bug exploited in attacks https://www.bleepingcomputer.com/news/google/google-fixes-another-chrome-zero-day-bug-exploited-in-attacks/
Google released emergency security updates to fix the fourth Chrome zero-day vulnerability exploited in attacks since the start of the year.
“Google is aware that an exploit for CVE-2023-4863 exists in the wild,” the company revealed in a security advisory published on Monday.
The new version is currently rolling out to users in the Stable and Extended stable channels, and it’s estimated that it will reach the entire user base over the coming days or weeks.
Chrome users are advised to upgrade their web browser to version
116.0.5845.187 (Mac and Linux) and 116.0.5845.187/.188 (Windows) as soon as possible, as it patches the CVE-2023-4863 vulnerability on Windows, Mac, and Linux systems.
Tomi Engdahl says:
Israel investigates potential breach of lawmakers’ phones https://therecord.media/israel-opposition-phones-whatsapp-outage-investigation
Israel’s security agency is investigating a potential phone breach of opposition party lawmakers, according to local media reports.
On Saturday, 15 members of the Yesh Atid political party, including the Israeli opposition leader Yair Lapid, had their WhatsApp accounts temporarily blocked, sparking concerns about potential phone hacking.
The shutdown lasted for nearly three hours, and the party reported it to the security service.
While it’s still unclear whether Saturday’s incident was a hack or not, there is potential for spyware to target WhatsApp accounts.
Tomi Engdahl says:
“MrTonyScam” — Botnet of Facebook Users Launch High-Intent Messenger Phishing Attack on Business Accounts https://labs.guard.io/mrtonyscam-botnet-of-facebook-users-launch-high-intent-messenger-phishing-attack-on-business-3182cfb12f4d
Facebook’s Messenger platform has been heavily abused in the past month to spread endless messages with malicious attachments from a swarm of fake and hijacked personal accounts. These threat actors are targeting millions of business accounts on Facebook’s platform — from highly-rated marketplace sellers to large corporations, with fake business inquiries, achieving a staggering “success rate” with approximately 1 out of 70 infected!
Originating yet again from a Vietnamese-based group, this campaign uses a tiny compressed file attachment that packs a powerful Python-based stealer dropped in a multi-stage process full of simple yet effective obfuscation methods.
In this write-up, we will share our analysis of this campaign, including how it appears from the victim’s perspective as well as the the threat actor’s ecosystem of dark markets. All of this will illustrate how this operation, along with its robust underground marketplace supply and demand, manages to compromise so many businesses on one of the world’s most popular platforms.
Tomi Engdahl says:
OriginBotnet Spreads via Malicious Word Document https://www.fortinet.com/blog/threat-research/originbotnet-spreads-via-malicious-word-document
In August, FortiGuard Labs obtained a Word document containing a malicious URL designed to entice victims to download a malware loader. This loader employs a binary padding evasion strategy that adds null bytes to increase the file’s size to 400 MB. The payloads of this loader include OriginBotnet for keylogging and password recovery, RedLine Clipper for cryptocurrency theft, and AgentTesla for harvesting sensitive information.
In this blog, we examine the various stages of how the file is deployed and delve into the specifics of the malware it delivers.
Tomi Engdahl says:
Steal-It Campaign
https://www.zscaler.com/blogs/security-research/steal-it-campaign
Zscaler ThreatLabz recently discovered a new stealing campaign dubbed as the “Steal-It” campaign. In this campaign, the threat actors steal and exfiltrate
NTLMv2 hashes using customized versions of Nishang’s Start-CaptureServer PowerShell script, executing various system commands, and exfiltrating the retrieved data via Mockbin APIs.
Through an in-depth analysis of the malicious payloads, our team observed a geofencing strategy employed by the campaign, with specific focus on targeting regions including Australia, Poland, and Belgium. These operations use customized PowerShell scripts, designed to pilfer crucial NTLM hashes before transmitting it to the Mockbin platform. The initial phase of the campaign involves the deployment of LNK files concealed in zip archives, while ensuring persistence within the system through strategic utilization of the StartUp folder. Additionally, the gathered system information and NTMLv2 hashes are exfiltrated using Mockbin APIs.
We believe the Steal-It campaign may be attributed to APT28 (aka Fancy Bear) based on its similarities with the APT28 cyber attack reported by CERT-UA in the Threat Actor Attribution section.
Tomi Engdahl says:
Vulnerabilities Allow Hackers to Hijack, Disrupt Socomec UPS Devices
https://www.securityweek.com/vulnerabilities-allow-hackers-to-hijack-disrupt-socomec-ups-devices/
A researcher has found 7 vulnerabilities in Socomec UPS products that can be exploited to hijack and disrupt devices.
Some uninterruptible power supply (UPS) products made by Socomec are affected by several vulnerabilities that can be exploited to hijack and disrupt devices.
Socomec is a France-based electrical equipment manufacturing company that specializes in low voltage energy performance. Its offering includes modular UPS devices that are used by businesses in various sectors around the world.
Aaron Flecha Menendez, an ICS security consultant at Spain-based cybersecurity firm S21sec, discovered that some Socomec UPS devices, specifically MODULYS GP (MOD3GP-SY-120K), are affected by seven vulnerabilities.
The list includes cross-site scripting (XSS), plaintext password storage, code injection, session cookie theft, cross-site request forgery (CSRF), and insecure storage of sensitive information, with severities ranging from ‘medium’ to ‘critical’.
Tomi Engdahl says:
FBI Blames North Korean Hackers for $41 Million Stake.com Heist
https://www.securityweek.com/fbi-blames-north-korean-hackers-for-41-million-stake-com-heist/
FBI says North Korean hacking group Lazarus has stolen $41 million in cryptocurrency from online betting platform Stake.com.
Tomi Engdahl says:
Associated Press Stylebook Users Targeted in Phishing Attack Following Data Breach
https://www.securityweek.com/associated-press-stylebook-users-targeted-in-phishing-attack-following-data-breach/
Cybercriminals breached an AP Stylebook website and obtained information on customers who were then targeted in phishing attacks.
The Associated Press is informing some AP Stylebook customers that their information has been compromised as a result of a data breach impacting an old website.
The AP Stylebook, a writing and editing guide that is widely used by corporations and newsrooms, is hosted on apstylebook.com. However, an older version was until recently also available, on stylebooks.com. This older version, which a third party had maintained on behalf of AP, was no longer in use, but it was still accessible.
Threat actors hacked into the old site and managed to obtain the information of more than 220 customers, including their name, postal address, email address, phone number, and user ID. In some cases, customers also provided social security numbers or taxpayer IDs, which may have also been stolen by hackers.
The third party that maintained the old site informed AP on July 20 that some users had received phishing emails pointing to a fake AP Stylebook website that instructed them to provide updated payment card information.
Tomi Engdahl says:
Bookstore Chain Dymocks Discloses Data Breach Possibly Impacting 800k Customers
https://www.securityweek.com/bookstore-chain-dymocks-discloses-data-breach-possibly-impacting-800k-customers/
The personal information of more than 800,000 individuals was stolen from bookstore chain Dymocks in a cyberattack last week.
Bookstore chain Dymocks Booksellers is informing hundreds of thousands of individuals that their personal information might have been stolen in a data breach last week.
The Australian company, which has more than 60 brick-and-mortar stores and an online bookstore, says that it identified the unauthorized access to customer records on September 6, and that it immediately launched an investigation into the incident.
“While our investigation is ongoing and at the early stages, our cybersecurity experts have found evidence of discussions regarding our customer records being available on the dark web,” Dymocks says in a customer notice.
Tomi Engdahl says:
After Microsoft and X, Hackers Launch DDoS Attack on Telegram
https://www.securityweek.com/after-microsoft-and-x-hackers-launch-ddos-attack-on-telegram/
Anonymous Sudan launches a DDoS attack against Telegram in retaliation for the suspension of their primary account on the platform.
The hacker group Anonymous Sudan has launched a distributed denial-of-service (DDoS) attack against Telegram in retaliation to the messaging platform’s decision to suspend their primary account, threat intelligence firm SOCRadar reports.
Claiming to be a hacktivist group motivated by political and religious causes, Anonymous Sudan has orchestrated DDoS attacks against organizations in Australia, Denmark, France, Germany, India, Israel, Sweden, and the UK.
The group has been active since the beginning of the year and established its Telegram channel on January 18, announcing intent to launch cyberattacks against any entity opposing Sudan. The group’s activity began with the targeting of several Swedish sites.
However, Anonymous Sudan came to fame in June, after launching a series of disruptive DDoS attacks targeting Microsoft 365, impacting Outlook, Microsoft Teams, OneDrive for Business, and SharePoint Online. Microsoft’s Azure cloud computing platform was also affected.
Tomi Engdahl says:
Microsoft September 2023 Patch Tuesday fixes 2 zero-days, 59 flaws https://www.bleepingcomputer.com/news/microsoft/microsoft-september-2023-patch-tuesday-fixes-2-zero-days-59-flaws/
Today is Microsoft’s September 2023 Patch Tuesday, with security updates for
59 flaws, including two actively exploited zero-day vulnerabilities.
While twenty-four RCE bugs were fixed, Microsoft only rated five as ‘Critical’
— four remote code execution flaws and Azure Kubernetes Service elevation of privilege vulnerability.
This month’s Patch Tuesday fixes two zero-day vulnerabilities, with both exploited in attacks and one of them publicly disclosed.
Tomi Engdahl says:
KRP: Varo tällaista puhelua 0295-numerosta https://www.is.fi/digitoday/tietoturva/art-2000009849760.html
Keskusrikospoliisi (KRP) varoittaa 0295-alkuisesta viranomaisnumerosta tulevista huijauspuheluista.
– Liikkeellä on huijauspuheluita, joissa soittaja esiintyy keskusrikospoliisin työntekijänä ja yrittää saada haltuunsa uhrin pankki- ja maksukorttitietoja, KRP kirjoittaa.
KRP muistuttaa, että poliisi ei koskaan kysy henkilöiden pankki- ja maksukorttitietoja puhelimitse.
– Älä anna kenellekään verkkopankkitunnuksiasi tai henkilötietojasi. Jos epäilet joutuneesi petoksen uhriksi, niin ilmoita asiasta välittömästi omaan pankkiisi ja tee rikosilmoitus poliisille, KRP neuvoo.
0295-numerot ovat valtakunnallisia siirrettävissä olevia operaattoririippumattomia numeroita, joissa ei ole palvelumaksuja. Poliisin lisäksi niitä käyttävät muut viranomaiset sekä esimerkiksi TE-toimistot.
Tomi Engdahl says:
Save the Children hit by ransomware, 7TB stolen https://www.theregister.com/2023/09/11/bianlian_save_the_children/
Cybercrime crew BianLian says it has broken into the IT systems of a top nonprofit and stolen a ton of files, including what the miscreants claim is financial, health, and medical data.
As highlighted by VX-Underground and Emsisoft threat analyst Brett Callow earlier today, BianLian bragged on its website it had hit an organization that, based on the gang’s description of its unnamed victim, looks to be Save The Children International. The NGO, which employs about 25,000 people, says it has helped more than a billion kids since it was founded in 1919.
BianLian added that its victim, “the world’s leading nonprofit,” operates in
116 countries with $2.8 billion in revenues. The extortionists claim to have stolen 6.8TB of data, which they say includes international HR files, personal data, and more than 800GB of financial records. They claim to also have email messages as well as medical and health data.
Tomi Engdahl says:
CISA offers free security scans for public water utilities https://www.bleepingcomputer.com/news/security/cisa-offers-free-security-scans-for-public-water-utilities/
The U.S. Cybersecurity & Infrastructure Security Agency (CISA) has announced it is offering free security scans for critical infrastructure facilities, such as water utilities, to help protect these crucial units from hacker attacks.
“You can reduce the risk of a cyberattack at your utility by externally scanning your networks for vulnerabilities caused by publicly facing devices.”
reads the program’s description
The program works by having CISA’s agents run specialized scanners that identify a facility’s internet-exposed endpoints and discover vulnerabilities or misconfigurations in those known to be exploited by hackers.
Tomi Engdahl says:
Apple backports BLASTPASS zero-day fix to older iPhones https://www.bleepingcomputer.com/news/security/apple-backports-blastpass-zero-day-fix-to-older-iphones/
Apple released security updates for older iPhones to fix a zero-day vulnerability tracked as CVE-2023-41064 that was actively exploited to infect iOS devices with NSO’s Pegasus spyware.
CVE-2023-31064 is a remote code execution flaw that is exploited by sending maliciously crafted images via iMessage.
As reported by Citizen Lab earlier this month, CVE-2023-31064 and a second flaw tracked as CVE-2023-41061 were used as a zero-click attack chain dubbed BLASTPASS, which involves sending specially crafted images in iMessage PassKit attachments to install spyware.
The security updates have now been backported to iOS 15.7.9 and iPadOS 15.7.9, macOS Monterey 12.6.9, and macOS Big Sur 11.7.10 to prevent the use of this attack chain on those devices.
Tomi Engdahl says:
Guarding Against the Unseen: Investigating a Stealthy Remcos Malware Attack on Colombian Firms https://research.checkpoint.com/2023/guarding-against-the-unseen-investigating-a-stealthy-remcos-malware-attack-on-colombian-firms/
In the last two months, Check Point researchers encountered a new large-scale phishing campaign that recently targeted more than 40 prominent companies across multiple industries, in Colombia. The attackers’ objective was to discreetly install the notorious “Remcos” malware on victims’ computers.
Remcos, a sophisticated “Swiss Army Knife” RAT, grants attackers full control over the infected computer and can be used in a variety of attacks. Common consequences of a Remcos infection include data theft, follow-up infections, and account takeover. In our report, we delve into the attack intricacies and highlight the stealthy techniques employed by the malicious actors.
Tomi Engdahl says:
Free Download Manager backdoored – a possible supply chain attack on Linux machines https://securelist.com/backdoored-free-download-manager-linux-malware/110465/
Over the last few years, Linux machines have become a more and more prominent target for all sorts of threat actors. According to our telemetry, 260,000 unique Linux samples appeared in the first half of 2023. As we will demonstrate in this article, campaigns targeting Linux can operate for years without being noticed by the cybersecurity community.
We discovered one such long-lasting attack when we decided to investigate a set of suspicious domains. We identified that the domain in question has a deb.fdmpkg[.]org subdomain. This subdomain claims to host a Debian repository of a piece of software called ‘Free Download Manager’. We further discovered a Debian package of this software available for download. This package turned out to contain an infected postinst script that is executed upon installation.
Tomi Engdahl says:
Persistent Threat: New Exploit Puts Thousands of GitHub Repositories and Millions of Users at Risk https://checkmarx.com/blog/persistent-threat-new-exploit-puts-thousands-of-github-repositories-and-millions-of-users-at-risk/
A new vulnerability has been discovered that could allow an attacker to exploit a race condition within GitHub’s repository creation and username renaming operations. This technique could be used to perform a Repojacking attack (hijacking popular repositories to distribute malicious code). This finding marks the fourth time a unique method was identified that could potentially bypass GitHub’s “Popular repository namespace retirement”
mechanism. The vulnerability has been reported to GitHub and has been fixed.
Tomi Engdahl says:
macOS MetaStealer | New Family of Obfuscated Go Infostealers Spread in Targeted Attacks https://www.sentinelone.com/blog/macos-metastealer-new-family-of-obfuscated-go-infostealers-spread-in-targeted-attacks/
This year has seen an explosion of infostealers targeting the macOS platform.
Throughout 2023, we have observed a number of new infostealer families including MacStealer, Pureland, Atomic Stealer and RealStealer (aka Realst).
Over the last few months, we have also been tracking a family of macOS infostealers we call ‘MetaStealer’. Last week, Apple dropped a new signature for XProtect that detects some (but not all) variants of the MetaStealer family.
In this post, we describe how MetaStealer differs from other recent stealers, as well as indicate some intriguing overlaps with other malware. We highlight how threat actors are proactively targeting macOS businesses by posing as fake clients in order to socially engineer victims into launching malicious payloads, and we provide a comprehensive list of indicators to help threat hunters and security teams identify MetaStealer in their environments.
Tomi Engdahl says:
New MidgeDropper Variant
https://www.fortinet.com/blog/threat-research/new-midgedropper-variant
One of the most exciting aspects of malware analysis is coming across a family that is new or rare to the reversing community. Determining the function of the malware, who created it, and the reasons behind it become a mystery to solve. The previously unseen dropper variant we recently found, named MidgeDropper, has a complex infection chain that includes code obfuscation and sideloading, making it an interesting use case. Although we couldn’t obtain the final payload, this blog will still explore what makes this dropper tick.
The initial infection vector was not available to FortiGuard Labs at the time of our investigation. However, we strongly suspect it to be a phishing e-mail because we have access to an RAR archive—!PENTING_LIST OF OFFICERS.rar—that would have been the likely attachment to an e-mail.
Tomi Engdahl says:
Free Download Manager site redirected Linux users to malware for years
https://www.bleepingcomputer.com/news/security/free-download-manager-site-redirected-linux-users-to-malware-for-years/?fbclid=IwAR3LQ82xOxZYpzvIUvtaJA2CnWw-L2ev-Kj_wlSNIzoq1mhFlJnkkBljcdQ
A reported Free Download Manager supply chain attack redirected Linux users to a malicious Debian package repository that installed information-stealing malware.
The malware used in this campaign establishes a reverse shell to a C2 server and installs a Bash stealer that collects user data and account credentials.
Kaspersky discovered the potential supply chain compromise case while investigating suspicious domains, finding that the campaign has been underway for over three years.
Tomi Engdahl says:
MGM Resorts Confirms ‘Cybersecurity Issue’, Shuts Down Systems
https://www.securityweek.com/mgm-resorts-confirms-cybersecurity-issue-shuts-down-systems/
MGM Resorts confirms “cybersecurity incident” led to the shutdown of web sites and IT systems of hotels throughout the United States.
Tomi Engdahl says:
Sergiu Gatlan / BleepingComputer:
Mozilla releases an emergency security update to fix a critical zero-day vulnerability exploited in the wild, impacting Firefox and its Thunderbird email client
Mozilla patches Firefox, Thunderbird against zero-day exploited in attacks
https://www.bleepingcomputer.com/news/security/mozilla-patches-firefox-thunderbird-against-zero-day-exploited-in-attacks/
Mozilla released emergency security updates today to fix a critical zero-day vulnerability exploited in the wild, impacting its Firefox web browser and Thunderbird email client.
Tracked as CVE-2023-4863, the security flaw is caused by a heap buffer overflow in the WebP code library (libwebp), whose impact spans from crashes to arbitrary code execution.
“Opening a malicious WebP image could lead to a heap buffer overflow in the content process. We are aware of this issue being exploited in other products in the wild,” Mozilla said in an advisory published on Tuesday.
Mozilla addressed the exploited zero-day in Firefox 117.0.1, Firefox ESR 115.2.1, Firefox ESR 102.15.1, Thunderbird 102.15.1, and Thunderbird 115.2.2.
Even though specific details regarding the WebP flaw’s exploitation in attacks remain undisclosed, this critical vulnerability is being abused in real-world scenarios.
Hence, users are strongly advised to install updated versions of Firefox and Thunderbird to safeguard their systems against potential attacks.
Tomi Engdahl says:
Philip Glamann / Bloomberg:
China claims to have noticed “some security incidents concerning Apple phones”, without elaborating, after the government reportedly curtails staff iPhone use — – Beijing makes its first comments since reports of iPhone ban — The government attaches ‘great importance’ to security
China Flags ‘Security Incidents’ With Apple’s iPhones
https://www.bloomberg.com/news/articles/2023-09-13/china-says-it-has-noticed-security-incidents-with-iphones#xj4y7vzkg
Beijing makes its first comments since reports of iPhone ban
The government attaches ‘great importance’ to security
Tomi Engdahl says:
https://www.securityweek.com/intel-capital-bets-on-zenity-for-low-code-no-code-security/
Tomi Engdahl says:
Malware & Threats
Zero-Day Summer: Microsoft Warns of Fresh New Software Exploits
https://www.securityweek.com/zero-day-summer-microsoft-warns-of-fresh-new-software-exploits/
Microsoft’s struggles with zero-day exploits rolled into a new month with a fresh Patch Tuesday warning about malware attacks in the wild.
Microsoft’s struggles with zero-day exploits rolled into a new month with a fresh warning that two new Windows vulnerabilities are being targeted by malware attacks in the wild.
As part of its scheduled batch of Patch Tuesday security fixes, Redmond’s security response team flagged the two zero-days — CVE-2023-36761 and CVE-2023-36802 — in the “exploitation detected” category and urged Windows sysadmins to urgently apply available fixes.
The most serious of the two bugs is described as a privilege escalation flaw in Microsoft Streaming Service Proxy that carries a CVSS severity score of 7.8/10.
“An attacker who successfully exploited this vulnerability could gain SYSTEM privileges,” Microsoft cautioned.
The Microsoft Streaming Service Proxy is part of the enterprise-facing Microsoft Stream video communications service.
Tomi Engdahl says:
Google Patches Chrome Zero-Day Reported by Apple, Spyware Hunters
https://www.securityweek.com/google-patches-chrome-zero-day-reported-by-apple-spyware-hunters/
Google has released a Chrome 116 security update to patch CVE-2023-4863, the fourth Chrome zero-day vulnerability documented in 2023
Tomi Engdahl says:
Court Convicts Portuguese Hacker in Football Leaks Trial and Gives Him a 4-Year Suspended Sentence
https://www.securityweek.com/court-convicts-portuguese-hacker-in-football-leaks-trial-and-gives-him-a-4-year-suspended-sentence/
Portuguese hacker behind “Football Leaks” convicted by a Lisbon court of nine crimes and given a suspended prison sentence of four years.
Tomi Engdahl says:
Cyberwarfare
China-Linked ‘Redfly’ Group Targeted Power Grid
https://www.securityweek.com/china-linked-redfly-group-targeted-power-grid/
Symantec warns that the Redfly APT appears to be focusing exclusively on targeting critical national infrastructure organizations.
Tomi Engdahl says:
ICS Patch Tuesday: Critical CodeMeter Vulnerability Impacts Several Siemens Products
https://www.securityweek.com/ics-patch-tuesday-critical-codemeter-vulnerability-impacts-several-siemens-products/
ICS Patch Tuesday: Siemens has released 7 new advisories and Schneider Electric has released 1 new advisory.
Siemens has published seven new advisories covering a total of 45 vulnerabilities affecting the company’s industrial products.
One of the advisories describes CVE-2023-3935, a critical vulnerability affecting Wibu Systems’ CodeMeter software licensing and protection technology, which is used by several Siemens products, including PSS, SIMATIC, SIMIT, SINEC and SINEMA.
The RUGGEDCOM APE1808 product family is affected by nearly two dozen medium- and high-severity vulnerabilities affecting the BIOS provided by Insyde.
Many SIMATIC and SIPLUS products are impacted by an ANSI C OPC UA SDK vulnerability that could allow an unauthenticated, remote attacker to cause a DoS condition using a specially crafted certificate.
Tomi Engdahl says:
Iranian Cyberspies Deployed New Backdoor to 34 Organizations
https://www.securityweek.com/iranian-cyberspies-deployed-new-backdoor-to-34-organizations/
Iran-linked cyberespionage group Charming Kitten has infected at least 34 victims in Brazil, Israel, and UAE with a new backdoor.
Iran-linked cyberespionage group Charming Kitten has been observed infecting 34 victims with a new backdoor, cybersecurity firm ESET reports.
Believed to be operating on behalf of Iran’s Islamic Revolutionary Guard Corps (IRGC) and also tracked as APT42, Ballistic Bobcat, Mint Sandstorm (formerly Phosphorus), and NewsBeef, Charming Kitten has been targeting activists, government organizations and journalists for more than a decade.
Recently, the advanced persistent threat (APT) actor has been engaging in financially motivated ransomware operations and was seen targeting critical infrastructure organizations in the US last year.
Since 2021, the newly identified Sponsor backdoor has been deployed mainly against organizations in Israel, in the automotive, engineering, financial services, healthcare, manufacturing, media, technology, and telecommunications sectors.
For initial access, Charming Kitten exploited known vulnerabilities in internet-facing Microsoft Exchange servers. However, many of the identified victims lack an obvious intelligence value, suggesting that the attacks were not targeted, but rather a scan-and-exploit operation.
Tomi Engdahl says:
Thousands of Code Packages Vulnerable to Repojacking Attacks
https://www.securityweek.com/thousands-of-code-packages-vulnerable-to-repojacking-attacks/
Despite GitHub’s efforts to prevent repository hijacking, cybersecurity researchers continue finding new attack methods, and thousands of code packages and millions of users could be at risk.
Despite GitHub’s efforts to prevent repository hijacking, cybersecurity researchers continue finding new attack methods, and thousands of code packages and millions of users could be at risk.
Repojacking is a repository hijacking method that involves renamed GitHub usernames. If a user renames their account, their old username can be registered by someone else, including malicious actors, and potentially abused for supply chain attacks.
Threat actors may be able to register an old username and create repositories that were previously associated with the old username, which could allow them to route traffic intended for the legitimate repository to their malicious repository.
However — before GitHub rolled out a fix — if the account renaming and the repository creation were done at the same time, the attempt would be successful, enabling the attacker to obtain a namespace that would allow them to redirect traffic to their malicious repository.
Checkmarx’s analysis showed that roughly 4,000 code packages in Go, PHP, Swift, as well as GitHub Actions were impacted, including hundreds of packages with more than 1,000 stars.
https://www.securityweek.com/github-account-renaming-could-have-led-supply-chain-attacks/
Tomi Engdahl says:
Adobe Says Critical PDF Reader Zero-Day Being Exploited
https://www.securityweek.com/adobe-says-critical-pdf-reader-zero-day-being-exploited/
Adobe raises an alarm for new in-the-wild zero-day attacks hitting users of its widely deployed Adobe Acrobat and Reader product
Software maker Adobe on Tuesday raised an alarm about new in-the-wild zero-day attacks hitting users of its widely deployed Adobe Acrobat and Reader product.
As part of its scheduled batch of Patch Tuesday updates, Adobe warned that hackers are exploiting a remotely exploitable vulnerability — CVE-2023-26369 — to launch code execution attacks.
Adobe describes the flaw as an out-of-bounds write memory safety issue affecting both Windows and macOS installations.
“Successful exploitation could lead to arbitrary code execution. Adobe is aware that CVE-2023-26369 has been exploited in the wild in limited attacks targeting Adobe Acrobat and Reader,” the company said in an advisory.
Adobe did not specify which operating system is being targeted by in-the-wild attackers.
Tomi Engdahl says:
Malware & Threats
Zero-Day Summer: Microsoft Warns of Fresh New Software Exploits
https://www.securityweek.com/zero-day-summer-microsoft-warns-of-fresh-new-software-exploits/
Microsoft’s struggles with zero-day exploits rolled into a new month with a fresh Patch Tuesday warning about malware attacks in the wild.
Microsoft’s struggles with zero-day exploits rolled into a new month with a fresh warning that two new Windows vulnerabilities are being targeted by malware attacks in the wild.
As part of its scheduled batch of Patch Tuesday security fixes, Redmond’s security response team flagged the two zero-days — CVE-2023-36761 and CVE-2023-36802 — in the “exploitation detected” category and urged Windows sysadmins to urgently apply available fixes.
The most serious of the two bugs is described as a privilege escalation flaw in Microsoft Streaming Service Proxy that carries a CVSS severity score of 7.8/10.
Tomi Engdahl says:
Chromen selainlaajennukset käyttäjien uusi riesa
https://etn.fi/index.php/13-news/15309-chromen-selainlaajennukset-kaeyttaejien-uusi-riesa
Check Point Software kertoo elokuun haittaohjelmakatsauksessaan, että uusi Chrome-käyttäjiin kohdistuva Shampoo-kampanja levittää haitallisia selainlaajennuksia. FBI:n johdolla kaadettu Qbot-pankkitroijalainen säilytti vielä elokuussa sijansa maailman ja Suomen yleisimpänä haittaohjelmana.
Shampoo levittää haitallisia selainlaajennuksia sisältäviä mainoksia. ChromeLoader-selainkaappari havaittiin ensimmäistä kertaa vuonna 2022. Shampoo-kampanjassa uhrit huijataan suorittamaan VBScript-tiedostoja, jotka asentavat haitallisia Chrome-laajennuksia. Asennettuina ne voivat kerätä henkilökohtaisia tietoja ja häiritä selaamista ei-toivotuilla mainoksilla.
Elokuussa FBI ilmoitti onnistuneensa merkittävässä globaalissa operaatiossaan Qbotia (eli Qakbotia) vastaan.
Tomi Engdahl says:
New Windows 11 feature blocks NTLM-based attacks over SMB https://www.bleepingcomputer.com/news/security/new-windows-11-feature-blocks-ntlm-based-attacks-over-smb/
Microsoft added a new security feature to Windows 11 that lets admins block NTLM over SMB to prevent pass-the-hash, NTLM relay, or password-cracking attacks.
This will modify the legacy approach where Kerberos and NTLM (i.e., LM, NTLM, and NTLMv2) authentication negotiations with destination servers would be powered by Windows SPNEGO.
This new feature allows an admin to block outbound NTLM over SMB, preventing a user’s hashed password from being sent to a remote server, effectively preventing these types of attacks.
SMB NTLM Blocking group policy
Tomi Engdahl says:
Ransomware review: September 2023
https://www.malwarebytes.com/blog/threat-intelligence/2023/09/ransomware-review-september-2023
This article is based on research by Marcelo Rivero, Malwarebytes’ ransomware specialist, who monitors information published by ransomware gangs on their Dark Web sites. In this report, “known attacks” are those where the victim did not pay a ransom. This provides the best overall picture of ransomware activity, but the true number of attacks is far higher.
Ransomware news in August was highlighted by the sudden fall of CL0P from the list of the most active gangs in any given month, while Lockbit returned to the number one spot after a steady four-month decline in activity.
CL0P published the data of just four victims on their leak site last month, down from 91known victims in June and 170 known victims in July. In June, CL0p shot to the top of the charts due to their use of a zero-day exploit in MOVEit Transfer, with victims of those attacks continuing to be posted into July.
Tomi Engdahl says:
3AM: New Ransomware Family Used As Fallback in Failed LockBit Attack https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/3am-ransomware-lockbit
A new ransomware family calling itself 3AM has emerged. To date, the ransomware has only been used in a limited fashion. Symantec’s Threat Hunter Team, part of Broadcom, has seen it used in a single attack by a ransomware affiliate that attempted to deploy LockBit on a target’s network and then switched to 3AM when LockBit was blocked.
3AM is written in Rust and appears to be a completely new malware family. The ransomware attempts to stop multiple services on the infected computer before it begins encrypting files. Once encryption is complete, it attempts to delete Volume Shadow (VSS) copies. It is still unclear whether its authors have any links to known cybercrime organizations.
Tomi Engdahl says:
RedLine/Vidar Abuses EV Certificates, Shifts to Ransomware https://www.trendmicro.com/en_us/research/23/i/redline-vidar-first-abuses-ev-certificates.html
We have been observing malware families RedLine and Vidar since the middle of 2022, when both were used by threat actors to target victims via spear-phishing scams. Earlier this year, RedLine targeted the hospitality industry with its info stealer malware.
Our latest investigations show that the threat actors behind RedLine and Vidar now distribute ransomware payloads with the same delivery techniques they use to spread info stealers. This suggests that the threat actors are streamlining operations by making their techniques multipurpose. In this particular case we investigated, the victim initially received a piece of info stealer malware with Extended Validation (EV) code signing certificates. After some time, however, they started receiving ransomware payloads via the same route.
Tomi Engdahl says:
Sponsor with batch-filed whiskers: Ballistic Bobcat’s scan and strike backdoor https://www.welivesecurity.com/en/eset-research/sponsor-batch-filed-whiskers-ballistic-bobcats-scan-strike-backdoor/
ESET researchers discovered a Ballistic Bobcat campaign targeting various entities in Brazil, Israel, and the United Arab Emirates, using a novel backdoor we have named Sponsor.
We discovered Sponsor after we analyzed an interesting sample we detected on a victim’s system in Israel in May 2022 and scoped the victim-set by country.
Upon examination, it became evident to us that the sample was a novel backdoor deployed by the Ballistic Bobcat APT group.
Ballistic Bobcat, previously tracked by ESET Research as APT35/APT42 (aka Charming Kitten, TA453, or PHOSPHORUS), is a suspected Iran-aligned advanced persistent threat group that targets education, government, and healthcare organizations, as well as human rights activists and journalists. It is most active in Israel, the Middle East, and the United States. Notably, during the pandemic, it was targeting COVID-19-related organizations, including the World Health Organization and Gilead Pharmaceuticals, and medical research personnel.
Tomi Engdahl says:
https://www.securityweek.com/macos-info-stealer-malware-metastealer-targeting-businesses/
Tomi Engdahl says:
Airbus Launches Investigation After Hacker Leaks Data
https://www.securityweek.com/airbus-launches-investigation-after-hacker-leaks-data/
Airbus has launched an investigation after a hacker claimed to have breached the company’s systems and leaked some business documents.
Tomi Engdahl says:
https://www.securityweek.com/sap-patches-critical-vulnerability-impacting-netweaver-s-4hana/