Cyber Briefing - 2023.02.20
Welcome to?Cyber Briefing , a short newsletter that informs you about the latest cybersecurity advisories, alerts and incidents every weekday.
First time seeing this? Please?subscribe .
Cyber Alerts
SolarWinds has published multiple advisories detailing seven high-severity vulnerabilities, with a patch expected by the end of February. Five of the security defects allow for deserialization of untrusted data that could lead to command execution by remote attackers with admin-level account access to the SolarWinds Web Console. The remaining two vulnerabilities affect Server & Application Monitor 2022.4 and SolarWinds Platform, with patches available in Hybrid Cloud Observability 2023.1 and SolarWinds Platform 2023.1, respectively.
Google's Threat Analysis Group and Mandiant have revealed that cyber attacks by Russia against Ukraine have surged by 250% in 2022, with a focus on the government and military, infrastructure, utilities, public services, and media. Six unique wiper strains were reportedly deployed, indicating a willingness to forgo persistent access, while phishing attacks aimed at NATO countries surged by 300%. The report suggests that the Eastern European cybercriminal ecosystem is undergoing a "notable shift" that blurs the lines between financially motivated actors and state-sponsored attackers.
Samsung has introduced a new security feature called Message Guard that protects users from malware and spyware via zero-click attacks. The solution pre-emptively secures users' devices by limiting exposure to invisible threats disguised as image attachments, with the feature available on Samsung Messages and Google Messages, and currently limited to the Samsung Galaxy S23 series. Zero-click attacks exploit previously unknown flaws in software to trigger the execution of malicious code without requiring any user interaction, with Message Guard acting as a sandbox that's designed to quarantine images received via the app from the rest of the operating system.
Twitter has announced that it will restrict the use of SMS-based two-factor authentication (2FA) to only its Blue subscribers, citing security concerns. Users that have enrolled for SMS-based 2FA, but have not subscribed to Twitter Blue, will have until March 20, 2023, to switch to alternative methods such as authenticator apps or hardware security keys. According to Twitter's own data, SMS accounts for 74.4% of all active accounts that have enabled at least one form of 2FA, followed by authenticator apps (28.9%) and security keys (0.5%).
GoDaddy has announced a multi-year security breach that exposed source code and enabled threat actors to install malware that redirected some of its customers to malicious sites. The web hosting provider attributed the campaign to a "sophisticated and organized group targeting hosting services." GoDaddy said that the intrusions aimed to "infect websites and servers with malware for phishing campaigns, malware distribution, and other malicious activities."
Cyber Incidents
Norwegian police agency ?kokrim has seized $5.84m worth of cryptocurrency stolen by the North Korea-backed hacking group, Lazarus, following the Axie Infinity Ronin Bridge hack in March 2022. ?kokrim said that it worked with international law enforcement partners to follow and piece together the money trail, making it more difficult for criminal actors to carry out money laundering activities. The development comes as blockchain analytics firm, Elliptic, revealed that another cryptocurrency mixer, Sinbad, may have laundered nearly $100m in Bitcoin from hacks attributed to the Lazarus Group, and the hacking group continues to evolve with new anti-forensic techniques.
领英推荐
Earth Kitsune, a cyber espionage group that targets individuals interested in North Korea, has been found deploying a new backdoor called WhiskerSpy in a social engineering campaign. The group has been active since 2019 and has previously used watering holes that leveraged browser exploits in Google Chrome and Internet Explorer to activate the infection chain. The WhiskerSpy backdoor has capabilities to delete, enumerate, download and upload files, take screenshots, inject shellcode, load arbitrary executables, and Earth Kitsune continues to evolve its tools, tactics, and procedures.
Armenian entities have been targeted by a cyber attack using an updated version of the OxtaRAT backdoor that can allow for remote access and desktop surveillance, according to Check Point Research. The campaign began in November 2022 and marks the first time the threat actors behind the activity have extended their focus beyond Azerbaijan, targeting human rights organizations, dissidents, and independent media. OxtaRAT can now be used for active reconnaissance of other devices, suggesting that the attackers may be moving from targeting individuals to targeting more complex or corporate environments.
Applied Materials, a technology provider for the semiconductor industry, announced that a ransomware attack on one of its suppliers would cost it $250 million in the next quarter. Although the company did not disclose the supplier’s identity, industry analysts identified it as technology and engineering firm MKS Instruments, which had to postpone its Q4 earnings call due to the attack. The incident highlights concerns that, as larger companies improve their cybersecurity, attackers will focus on weaker links in the supply chain, including smaller businesses.
Decentralized finance (DeFi) protocol Platypus has been hit by an $8.5 million flash loan attack, leading to the de-pegging of its Platypus USD stablecoin, which dropped 52.2% to $0.478. Blockchain security firm CertiK has identified a suspect through an alleged attacker's contract address. Tether Holdings has frozen the USDT stolen, and Platypus is seeking to negotiate with the hacker for the return of the funds before engaging with law enforcement.
Cyber Advisory
Fortinet has released security updates to fix 40 vulnerabilities in its software, including Critical and High severity flaws. The Critical vulnerability in FortiNAC network access control solution (CVE-2022-39952) could allow an unauthenticated attacker to execute arbitrary code. The second flaw of note is a stack-based buffer overflow in FortiWeb's proxy daemon (CVE-2021-42756) that could enable an unauthenticated remote attacker to achieve arbitrary code execution. Users are urged to apply the updates quickly, as a proof-of-concept code for the FortiNAC vulnerability is expected to be released soon.
HAProxy, an open source load balancer and reverse proxy, has patched a vulnerability that could allow attackers to stage HTTP request smuggling attacks by sending a maliciously crafted HTTP request that bypasses the filters of HAProxy and gains unauthorized access to back-end servers. The vulnerability, which had existed since version 2.0 of HAProxy released in June 2019, was reported by a group of researchers at Northeastern University, Akamai Technologies, and Google who were running tests. The maintainer of HAProxy, Willy Tarreau, has provided a temporary config-based workaround for those who are not able to immediately upgrade to the latest version.
Subscribe and Comment.
Copyright ? 2023 CyberMaterial. All Rights Reserved.
Follow CyberMaterial on
Cyber Security Analyst | Sec+ | Splunk Core & Power User | AZ-900 | Threat Intelligence
1 年Crazy whats still going on over there, I pray for the families of Ukraine!!!!!!