Cyber Briefing - 2023.04.19
Welcome to?Cyber Briefing, the newsletter that informs you about the latest cybersecurity advisories, alerts, incidents and news every weekday.
First time seeing this? Please?subscribe.
???Cyber Alerts
Akamai's recent report shows a dramatic surge in web app and API attacks exploiting poorly coded applications, with daily attacks reaching well over 100 million. Local file inclusion (LFI) attacks are driving the most growth in API attacks, with a 193% year-over-year increase. According to cybersecurity experts, the surge in API attacks is due to exponential API growth not being matched by security measures.
A new critical flaw has been discovered in the VM2 sandbox, which is used by various software tools, allowing attackers to run malicious code outside of the isolated environment. The latest flaw is an exception sanitization flaw that allows an attacker to raise an unsanitized host exception, escaping the sandbox restrictions and performing arbitrary code execution in the host context. All users of VM2 library are recommended to upgrade to version 3.9.17 to address the security flaw, but supply chain complexities may delay the upgrade, leaving many users exposed to risks for an extended duration.
Researchers have uncovered a sophisticated loader known as "in2al5d p3in4er" that delivers the Aurora information stealer malware. The loader uses advanced anti-VM techniques to target endpoint workstations and checks for the vendor ID of the graphics card installed on the system to avoid detection. It is compiled with Embarcadero RAD Studio, which enables it to generate executables for multiple platforms and evade detection, making it a powerful tool in the hands of cybercriminals.
Iranian hackers continue to use legitimate remote administration tools to compromise their targets, with MuddyWater using the SimpleHelp software to ensure persistence on victim devices, according to cybersecurity firm Group-IB. MuddyWater, which has been active since at least 2017, is thought to be a subgroup within Iran's Ministry of Intelligence and Security. The use of SimpleHelp was first identified in June 2022, but the exact method of distribution is unclear. The group has previously used ScreenConnect, RemoteUtilities, and Syncro in its attacks.
The UK National Cyber Security Centre (NCSC) and US Cybersecurity and Infrastructure Security Agency (CISA) have issued a joint report warning that APT28, a state-sponsored hacking group linked to Russia's General Staff Main Intelligence Directorate (GRU), has been exploiting an old SNMP flaw on Cisco IOS routers to deploy a custom malware named 'Jaguar Tooth'. The malware allows unauthenticated backdoor access to the device and exfiltrates information from the router, enabling the threat actors to abuse zero-day exploits to conduct cyber espionage on European and US interests. The report recommends upgrading routers to the latest firmware, configuring allow and deny lists to restrict access to SNMP interfaces, and switching from SNMP to NETCONF/RESTCONF for remote management to mitigate these attacks.
London-based corporation, Capita, has yet to confirm whether the data leak is legitimate. The stolen details reportedly include bank account information, passport photos, home addresses and personal data of teachers applying for jobs at schools. The company has played down fears of personal and corporate information being accessed, but investigations are ongoing.
Researchers have found a new Android malware called "Goldoson" that was spread through 60 legitimate apps on the official Google Play store, totaling more than 100 million downloads in South Korea. Goldoson collects sensitive data, including lists of installed applications, Wi-Fi and Bluetooth device information, and nearby GPS locations, and can perform ad fraud by clicking advertisements in the background without the user’s consent. While some apps were updated by removing the malicious library, others were removed from Google Play.
领英推荐
CommScope, the US network infrastructure giant, was listed on a dark web leak site after a ransomware attack. A trove of the company's data was published by hackers, which included internal documents, invoices, technical drawings, and personal data of thousands of employees, including Social Security numbers and bank account information. CommScope has yet to reveal the number of employees affected or whether they have been notified about the breach.
Crypto security experts are left puzzled as a sophisticated hack has stolen over $10 million worth of cryptocurrency from hardware wallets of experienced and security-conscious crypto users. The attack hit users who were more crypto-native and had reasonable security measures in place, suggesting a highly sophisticated operation. The attack vector points towards a compromise in users' secret recovery phrases, likely due to unintentionally insecure storage.
Over 1.2 million records belonging to law enforcement agencies in the Philippines have been compromised in a massive data breach, exposing sensitive information including fingerprint scans, tax identification numbers, and passport copies. The breach, which lasted at least six weeks, left government documents stored in an unsecured and non-password-protected database. The cybersecurity research company VPNMentor, which revealed the breach, recommended a full forensic audit to determine the extent and impact of the breach.
???Cyber News
Despite security teams taking an average of six days to resolve vulnerabilities, hackers are often exploiting them within hours of them being disclosed. The problem is particularly acute in the cloud, where threat actors are increasingly exploiting weaknesses in everyday issues such as weak credentials and authentication. Research by Palo Alto's Unit 42 found that 75% of organizations do not enforce multifactor authentication for console users, and sensitive data was found in 63% of publicly exposed buckets.
Paragraph: Australians fell victim to scams in record numbers in 2022, losing a staggering $3.1 billion, an 80% increase from the previous year. Investment scams, remote access scams, and payment redirection scams were the top culprits. Scammers are employing increasingly sophisticated tactics, including impersonating official organizations and exploiting data breaches, making it harder for victims to detect fraud. The surge in scams highlights the urgent need for heightened awareness and vigilance in protecting against cyber threats in Australia.
SpecterOps, known for its BloodHound Enterprise platform, has secured $25M in a funding round led by Decibel. The platform maps and pinpoints identity attack paths in Microsoft’s Active Directory (AD) and Azure AD, offering practical remediation guidance and measuring the organization’s security posture. SpecterOps will use the funding to expand its services and training products.
NewsGuard has accused Elon Musk's monthly subscription Blue Check Mark of allowing bad actors to spread fake and misleading content by purchasing an aura of legitimacy on Twitter. The watchdog tracked 25 "misinformation superspreader accounts" with verified Twitter Blue status that had previously spread false information or narratives in its proprietary Misinformation Fingerprints database. The accounts posted a total of 141 tweets containing false or misleading claims, viewed more than 27 million times, receiving more than three quarters of a million likes and reposts, according to NewsGuard.
Security experts from ESET have announced a successful temporary disruption of the RedLine Stealer's operations, with the help of GitHub. The info-stealing malware, active since early 2020, is known to steal sensitive information from infected systems. By identifying and removing specific repositories used as dead-drop resolvers, the experts were able to make the control panels unusable, forcing the malware's operators to set up new panels to recover their operations.
Subscribe?and Comment.
Copyright ? 2023?CyberMaterial. All Rights Reserved.
Follow CyberMaterial on: