Cyber Briefing - 2023.03.24
Welcome to?Cyber Briefing, a short newsletter that informs you about the latest cybersecurity advisories, alerts, incidents and news every weekday.
First time seeing this? Please?subscribe.
???Cyber Alerts
Cleafy, a cybersecurity firm, has issued a warning of a new Android banking trojan named Nexus that is being employed by multiple groups in attacks against 450 financial applications. The Nexus ransomware was first analyzed in early March by researchers from the threat intelligence firm Cyble. The Nexus Trojan can target multiple banking and cryptocurrency services and supports features to bypass two-factor authentication (2FA) by abusing Android’s accessibility services, making it a significant threat to customers' accounts.
The most important include three vulnerabilities that can cause a denial-of-service (DoS) condition by remote, unauthenticated attackers. Cisco advises users to patch their software to prevent exploitation of these vulnerabilities, which affect various products, including IOS, IOS XE, Wireless LAN controllers, and SD-WAN vManage software.
Red Hat has issued security advisories for a vulnerability in the Linux kernel that affects Red Hat Enterprise Linux 9 and Red Hat Virtualization 4. The flaw allows local users to crash or potentially escalate their privileges on the system. The Cyber Centre advises users and administrators to review the provided web links and apply the necessary updates to avoid potential denial-of-service or privilege escalation attacks.
A high-severity vulnerability impacting Veeam's Backup & Replication (VBR) software can now be exploited by attackers thanks to the release of cross-platform proof-of-concept (PoC) exploit code by Horizon3's Attack Team. The flaw affects all VBR versions and can be exploited by unauthenticated attackers to breach backup infrastructure after stealing cleartext credentials and gaining remote code execution as SYSTEM. While there are currently no reports of threat actors leveraging this vulnerability, attackers may create their own exploits based on the PoC code, making it crucial for Veeam customers to apply the security updates or apply a temporary fix as soon as possible to secure their organization.
A recently discovered malicious Python package on PyPI named "onyxproxy" has been found to use Unicode as an obfuscation technique to evade detection while stealing and exfiltrating developers' account credentials and other sensitive data from compromised devices. The package contains thousands of suspicious code strings that use a mix of Unicode characters, which allows coders to create identifiers that appear identical yet point to different functions. While the Unicode support in Python has been extensively discussed in the development community in the past, these attacks are now confirmed, and defenders must implement more robust detection mechanisms against these emerging threats.
Over 500,000 websites using the WooCommerce Payments plugin for WordPress are impacted by a critical security flaw that could allow an unauthorized person to gain admin access to online stores. WordPress security company Wordfence warns that the issue could enable an attacker to take over a website without requiring any user interaction or social engineering. Though there is currently no evidence of active exploitation, experts predict that the flaw could become weaponized on a large scale once a proof-of-concept becomes available.
The City of Toronto and Virgin are the latest victims of a series of cyberattacks by Clop ransomware group, which exploited a vulnerability in the popular file transfer product GoAnywhere. The attack affected dozens of organizations, including Pluralsight, Rio Tinto, Hatch Bank, and Rubrik. Clop has a history of targeting multiple organizations and announcing them in quick succession, making it distinct from other ransomware operations.
领英推荐
A research team has found that PowderRoom, a South Korean social platform marketing itself as the country's largest beauty community, exposed the private data of a million users, including their full names, phone numbers, emails, Instagram usernames, and even home addresses. The publicly accessible database was estimated to have been available for over a year. Researchers advise users to take note of what personal information was compromised and take protective measures such as verifying the authenticity of messages and emails before clicking on any links, adding extra identity verification steps to their phone service provider, keeping their operating systems up to date, and switching to a different web browser.
GitHub has rotated its private SSH key after it was accidentally exposed in a public repository, though the key was only exposed "briefly." GitHub's blog post did not specify when the key was exposed or for how long, and as a result, users should update their known_hosts file with GitHub's new key fingerprint to avoid security warnings. The company stressed that the exposure was the result of the inadvertent publishing of private information and was not the result of any compromise of GitHub systems or customer information.
A hacker claimed to have stolen close to 1 million user records, including names, dates of birth, passwords stored in plaintext, and about 415,000 unique email addresses, which iD Tech did not dispute when reached by email. Some parents only found out as recently as March 6 when data breach notification services like Have I Been Pwned obtained the data and sent out notifications to affected families. Other parents found out when other services, like Firefox or their device security software, notified them that their information was found in the breached data.
Hackers have targeted the consumer products giant Procter and Gamble through a data transfer tool called GoAnywhere, which allowed them to steal information about its employees. The attack was part of a larger ransomware campaign aimed at large companies with a significant presence. While it's unclear whether P&G has paid the ransom to retrieve the stolen information, the incident highlights the ongoing risk of cyber attacks for even the biggest and most established organizations.
???Cyber News
Two proposed class action lawsuits have been filed against the online health insurance marketplace that serves residents of Washington, D.C., and members of the U.S. Congress, following a hacking incident that affected over 56,000 individuals. Both lawsuits accuse the DC Health Benefit Exchange Authority of being negligent in failing to secure sensitive information and seek monetary damages and improvements to data security. The vulnerability that was exploited by hackers has since been fixed and DC Health Link is working with Mandiant to review its security measures and implement new protocols going forward.
Specops Software's research revealed that the most common Fortune 500 company names are used in compromised password data. Household names such as Coca-Cola, Starbucks, and McDonald's are among the top ten names found, with Williams being the most common. However, just because a company name appears on this list doesn't mean that they have suffered a breach or that their passwords have been leaked. Specops recommends blocking the use of organization names in users' passwords with a custom dictionary to enhance network security.
Microsoft has announced the release of an updated Windows 11 build that comes with enhanced phishing protection and support for SHA-3 cryptographic hash functions. The phishing protection feature is designed to warn users against reusing passwords, storing them in plain text, or typing them into sites flagged as malicious. The latest update will also enable users to receive warnings not to copy-paste passwords on unsafe sites and apps. Additionally, SHA-3 support has been added through the Windows CNG library.
Russian consumers and criminals have been offered services for bypassing international sanctions that may indirectly involve US financial institutions, warns threat intelligence firm Recorded Future. These strategies include cryptocurrency virtual credit cards and mail-forwarding services, which have been advertised on cybercrime markets and Telegram channels. As the effects of the sanctions start to accumulate, experts predict that Russians will increasingly turn to such methods to obtain desired goods and services from abroad, as well as monetize illicit activities.
Subscribe?and Comment.
Copyright ? 2023?CyberMaterial. All Rights Reserved.
Follow CyberMaterial on: