Cyber Briefing - 2023.03.08
Welcome to?Cyber Briefing, a short newsletter that informs you about the latest cybersecurity advisories, alerts, incidents and news every weekday.
First time seeing this? Please?subscribe.
???Cyber Alerts
1. Ongoing Exploitation of Critical VMware Flaw
Wallarm Detect, an application vulnerability detection firm, has issued a warning about the ongoing exploitation of a critical flaw in VMware Cloud Foundation and NSX Data Center for vSphere (NSX-V). This flaw, tracked as CVE-2021-39144, has a CVSS score of 9.8 and was disclosed in October 2022. Although VMware announced patches for it, the affected product had reached end-of-life status in January 2022. Wallarm Detect reports that since December 2022, it has been observing ongoing exploitation of these vulnerabilities, which could have catastrophic consequences, including allowing attackers to execute arbitrary code, steal data, and/or take control of the network infrastructure.
2. CISA Adds Three Vulnerabilities to KEV List
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added three vulnerabilities to its Known Exploited Vulnerabilities catalog, warning of active exploitation. The most critical of the three is a remote code execution flaw in Teclib GLPI that concerns a third-party library htmlawed, present in open source asset and IT management software. A cURL-based proof of concept has been made available on GitHub and a "mass" scanner has been advertised for sale since then. Another flaw involves Apache Spark's unauthenticated command injection vulnerability that has been exploited by the Zerobot botnet to co-opt vulnerable devices for carrying out distributed denial-of-service attacks.
3. Google Patches 50+ Android Vulnerabilities
Google has released the March 2023 security updates for the Android platform, addressing over 50 vulnerabilities. Among the most severe are two remote code execution flaws in the System component, which were patched as part of the 2023-03-01 security patch level. In addition, 29 vulnerabilities affecting the Android Kernel, MediaTek, Unisoc, Qualcomm, and Qualcomm closed-source components were addressed with the 2023-03-05 security patch level.
4. New Malware AresLoader For Sale
A new private loader named “AresLoader” has been advertised for sale on a top-tier Russian-language hacking forum, available for $300 per month, with the sellers claiming that only ten licenses are available at a time. AresLoader is designed to camouflage itself as legitimate software while covertly downloading harmful payloads. It operates through a single command and control (C2) panel that receives logs, and customers can create user accounts for the panel. Flashpoint analysts have evaluated a sample build of AresLoader and confirmed that it performs the advertised functions.
5. New Advanced Information Stealer Detected
Morphisec researchers have discovered a new advanced information stealer, dubbed SYS01 stealer, that is being used in attacks on critical government infrastructure employees and manufacturing companies since November 2022. The attack is designed to steal sensitive information, including login data, cookies, and Facebook ad and business account information. The malware is spread through fake Facebook profiles and Google ads, which promote games, adult content, and cracked software to lure victims into downloading a malicious file, and is able to upload files from the infected system to the C2 server and execute commands sent by the C&C.
6. Chinese hackers target SE Asian governments
Chinese hacking group Sharp Panda is actively deploying a new version of the ‘Soul’ malware framework in spear-phishing attacks targeting high-profile government entities in Vietnam, Thailand, and Indonesia. Researchers at Check Point recently discovered the campaign which uses the RoyalRoad RTF kit, C2 server addresses and the hacker's working hours, and has identified the operation as state-backed Chinese hackers. The new variant of the Soul malware features a "radio silence" mode which allows the backdoor to blend in with general traffic during specific hours of the week, and implements a custom C2 communication protocol.
7. Emotet malware resumes spam emails
After a three-month break, Emotet malware has resumed spamming malicious emails worldwide. The notorious malware is distributed through email with malicious Microsoft Word and Excel attachments, which, when opened, will download and load the Emotet DLL into memory. The latest campaign utilizes emails pretending to be invoices, containing ZIP archives with inflated Word documents that are over 500 MB in size, padded with unused data to make it harder for antivirus solutions to detect them as malicious.
领英推荐
1. Hackers Steal 3TB of Data from Brazilian Firm?
Hackers belonging to the "Dark Angels" group claim to have stolen 3TB of emails and corporate information from Andrade Gutierrez, one of the largest engineering firms in Latin America. The stolen data reportedly includes employee names, passport details, payment info, and health insurance information of over 10,000 employees, as well as blueprints for major construction projects. The firm has not yet acknowledged the raid, and the vulnerability used to perpetrate the attack reportedly remains unpatched.
2. Hamburg University hit by ransomware attack
The Hamburg University of Applied Sciences (HAW Hamburg) has become the latest German-speaking institution to fall prey to ransomware, with the Vice Society group claiming responsibility. The attack, which took place in December, was manually carried out, with the group gaining access to the university’s central IT and security systems, as well as administrative rights to the central storage systems. Significant amounts of data, including usernames and “cryptographically secured” passwords, were copied, leading to recommendations that students and staff change passwords for all internal university applications.
3. Acer Data Breach: 160GB of Stolen Data
Acer has announced that it has been subject to a data breach after a threat actor claimed to have hacked the company. The actor is offering 160 GB of data for sale, which they allege to have stolen from the hardware and electronics giant, including confidential product model documentation, backend infrastructure, and BIOS information. Acer has confirmed the incident, with a representative stating that while the investigation is ongoing, there is currently no indication that any consumer data was stored on the server that was compromised.
4. Ethical Hacker Returns Stolen $1.59M
Tender.fi, a DeFi lending platform, was hit by an unusual amount of borrows leading to a loss of $1.59 million. The exploit was detected by CertiK and Lookonchain, who then flagged it to the platform. A white hat hacker, who carried out the attack, returned the stolen funds in exchange for a bounty reward of $97,000, highlighting the need for better security measures in DeFi protocols.
5. Lazarus Group Hacks South Korea Bank
The Lazarus group, known for its cyberattacks on South Korea, has been found to have infiltrated various Korean companies, including those related to national defense and satellites, with their malware strains since March 2019. Recently, a company that had been previously infiltrated by the group in May 2022 was re-infiltrated through the same software's Zero-day vulnerability, showing that the group is researching the vulnerabilities of various software and constantly changing its techniques to infiltrate Korean institutions and companies. ASEC has filed a report regarding the software's vulnerability to KISA, and the team will re-upload the report with updated information once the software patch becomes available.
???Cyber News
1. Excel blocks untrusted XLL add-ins by Default
Microsoft has announced that its Excel spreadsheet software will now block untrusted XLL add-ins by default in Microsoft 365 tenants worldwide. The new feature will be generally available in multi-tenants worldwide by late March after rolling out to all desktop users in the Current, Monthly Enterprise, and Semi-Annual Enterprise channels. This move is part of Microsoft's broader efforts to tackle the rise of malware campaigns abusing various Office document formats as an infection vector throughout recent years.
2. TSA Mandates Cybersecurity for Airports
The US Transportation Security Administration (TSA) has announced new cybersecurity requirements for airport and aircraft operators to combat persistent threats against the country's aviation sector and other critical infrastructure. Operators are required to develop a plan for improving their cybersecurity resilience and preventing infrastructure disruption and degradation, in addition to implementing access control mechanisms and incident detection and response policies. The TSA has also mandated that aviation organizations regulated by the agency develop network segmentation controls and policies to prevent unauthorized access to critical systems.
3. Microsoft Fix Outlook Sign-in Errors
Microsoft has released a fix for sign-in errors that iOS and Android users might encounter with mailboxes in some Exchange environments. Users may see an error message stating that their email address has been blocked on this device by their administrator. The likely cause of the error is a missing Exchange ActiveSync (EAS) access rule that permits users of Outlook iOS and Android apps to connect to the Exchange Online server. To resolve these issues, admins must ensure that hybrid Modern Auth is toggled on and add a new Exchange Online access rule for mobile Outlook apps.
Subscribe?and Comment.
Copyright ? 2023?CyberMaterial. All Rights Reserved.
Follow CyberMaterial on: