Cyber Briefing - 2023.02.23

Welcome to?Cyber Briefing, a short newsletter that informs you about the latest cybersecurity advisories, alerts and incidents every weekday.

First time seeing this? Please?subscribe.

?? Cyber Alerts

1. Backdoor malware found on hundreds of servers after exploit of ConnectWise vulnerability

Cybersecurity company Fox-IT has discovered that an attack targeting the ZK Java framework of ConnectWise's R1Soft Server Backup Manager software has led to hundreds of servers being infiltrated with backdoors. While ConnectWise warned customers of the vulnerability back in October 2022, the flaw - a form of authentication bypass - has continued to be exploited, with Fox-IT finding evidence of it being used to gain server access since late November of that year. Fox-IT has now released indicators of compromise (IoCs) to help organizations determine whether they have been targeted using the vulnerability.

2. Hydrochasma: A New Threat Actor Using Open-Source Tools for Intelligence-Gathering Campaigns

Shipping companies and medical laboratories in Asia are being targeted in an intelligence-gathering campaign by a new threat actor, Hydrochasma, using open-source tools exclusively. Although no data exfiltration has been observed, the tools deployed could potentially allow for remote access and data exfiltration. The campaign, which began in October 2022, targets industries that may be involved in COVID-19 treatments or vaccines.

3. Over 15,000 Spam Packages Flood Open Source NPM Repository To Distribute Phishing Links

A recent report by Checkmarx warns of a massive campaign that deployed over 15,000 spam packages in the NPM repository to distribute phishing links. The attackers used automated processes to create the packages with descriptions and names that closely resembled one another. The rogue packages were designed to trick users into downloading them and clicking on the links to the phishing sites that promised increased followers on social media platforms.

4. Malicious Python Packages Found to Mimic Popular Libraries

Researchers have discovered 41 malicious packages posing as legitimate modules such as HTTP, requests, urllib and urllib3 in the Python Package Index (PyPI) repository. These packages have been found to harbor downloaders or information stealers that exfiltrate sensitive data. The packages have names that are similar to those of popular libraries, but their descriptions don't hint at their malicious intent. This latest development is just the latest attempt by malicious actors to poison open-source repositories to propagate malware and mount supply chain attacks.

5. New Information Stealer Steals User Credentials to Hijack Facebook and YouTube Accounts for Cryptocurrency Mining

Researchers from Bitdefender have discovered an ongoing malware campaign that is targeting Facebook and YouTube users. The malware, named S1deload Stealer, is a DLL side-loading threat that bypasses security defenses to execute malicious components. The malware is able to steal user credentials, emulate human behavior to artificially boost video and other content engagement, assess the value of individual accounts, mine for BEAM cryptocurrency, and propagate the malicious link to the user's followers.

?? Cyber Incidents

1. Exposed server leaks sensitive US military emails for two weeks

The U.S. Department of Defense has secured an exposed server that was spilling internal military emails to the open internet for two weeks. The server was hosted on Microsoft's Azure government cloud for Department of Defense customers, and the misconfiguration left the server without a password, allowing anyone on the internet access to the sensitive mailbox data inside. The server contained internal military email messages dating back years, some of which contained sensitive personnel information, and included a completed SF-86 questionnaire that contained highly sensitive personal and health information for vetting individuals before they are cleared to handle classified information.

2. Millions of Russians Receive False Missile Warning in Massive Hacker Attack

A massive hacker attack caused millions of Russians in nearly a dozen cities to receive false warnings of an air raid or missile strikes through radio alerts, text messages, and sirens. The Ministry of Emergency Situations blamed the broadcasts on unidentified hackers, who reportedly attacked the servers of some commercial radio stations and unauthorizedly tied-in. The incident occurred two days before the one-year anniversary of Russia's unprovoked and illegal attack on neighboring Ukraine, raising concerns about Russia's involvement in the cyberattacks on Ukraine government agencies and private corporations.

3. Dole's cyberattack leads to temporary production shutdown and food shortage at grocery stores

Produce giant Dole was hit by a ransomware attack earlier this month, which led to the temporary shutdown of production plants in North America and a halt in food shipments to grocery stores. While Dole claimed that the impact of the incident was limited, some grocery shoppers complained that store shelves were missing Dole-made salad kits. The incident is a stark reminder of the far-reaching consequences of cyberattacks on critical infrastructure and highlights the need for improved cybersecurity measures across the board.

4. Android App OyeTalk Voice Chat App Leaks Private User Chats and Data

The OyeTalk voice chat app, which has over five million downloads on Google Play, has been found to be leaking private user data, including unencrypted chats, usernames, and cellphone IMEI numbers, through unprotected access to Firebase. The leak was discovered by researchers who warned of the potential for permanent data loss if the leaked data had not been backed up and the risk of malicious actors deleting the dataset. The leak highlights the importance of robust data protection measures and responsible handling of personal information in the face of ever-evolving cybersecurity threats.

5. "Major hack" attempted on Irish broadcaster Virgin Media Television impacts programming

Virgin Media Television, an Irish broadcaster, revealed on Monday that an attempted hack on its systems will impact its programming in the coming days. The nature of the attack has not been disclosed, but a spokesperson confirmed that it was not a ransomware attack. The company said it identified an unauthorized attempt to access its systems, which has been contained, isolated, and terminated, and that precautionary protocols are temporarily disconnecting some of its technologies to ensure maximum security.

?? Cyber Advisory

1. Red Hat Urges Immediate Action to Address Critical Linux Kernel Vulnerabilities

Red Hat has issued Security Advisories on February 21, 2023, warning of severe vulnerabilities in the Linux kernel, affecting multiple versions and platforms of Red Hat CodeReady Linux Builder and Red Hat Enterprise Linux. The Canadian Cyber Centre is urging all users and administrators to take prompt action by reviewing the provided web link and applying the necessary updates to mitigate the risks posed by the security flaws. Failure to address the vulnerabilities could potentially result in significant cyberattacks and data breaches.

2. HPE Serviceguard for Linux Security Vulnerabilities Resolved

HPE Serviceguard for Linux has addressed critical security vulnerabilities that could have potentially allowed unauthenticated Java deserialization, memory corruption, and Server Side request forgery attacks. The company has released new versions of the software, A.12.80.05 and A.15.00.00, that resolve the issues. All users are advised to upgrade to the latest versions to prevent exploitation of the vulnerabilities.

3. Cisco Products at Risk: Multiple Vulnerabilities Addressed in Recent Security Advisories

Cisco has published security advisories detailing vulnerabilities in multiple products, including Cisco APIC, Cloud Network Controller, and Nexus 9000 Series Fabric Switches.

4. Trellix Addresses Security Vulnerabilities Across Product Line, OpenSSL Releases Critical Fix

Trellix has published a Security Advisory addressing vulnerabilities in its Agent and Intelligent Sandbox products. Users and administrators are urged to review web links provided by the Cyber Centre and apply necessary updates. OpenSSL has also released a fix for a critical security bug, though the vast majority of Trellix products and services remain unaffected by the issue, as they use supported versions of OpenSSL.

Subscribe?and Comment.

Copyright ? 2023?CyberMaterial. All Rights Reserved.

Follow CyberMaterial on:

LinkedIn,?Twitter,?Reddit,?Instagram,?Facebook,?Youtube, and?Medium.