Cyber Briefing - 2023.04.20
Welcome to?Cyber Briefing , the newsletter that informs you about the latest cybersecurity advisories, alerts, incidents and news every weekday.
First time seeing this? Please?subscribe .
???Cyber Alerts
Security researchers at Symantec have discovered that Play ransomware group has developed two custom tools, Grixba and VSS Copying Tool, to enhance the effectiveness of their cyberattacks. The two .NET-based tools can enumerate users and computers in compromised networks, gather information about security, backup and remote administration software, and copy files from Volume Shadow Copy Service to bypass locked files. Play ransomware's use of custom tools indicates that the group aims to carry out their malicious tasks more efficiently and effectively, as they have targeted several high-profile victims since the start of the year.
The Cybersecurity and Infrastructure Security Agency (CISA) has added a new vulnerability to its Known Exploited Vulnerabilities Catalog after detecting evidence of active exploitation. The CVE-2017-6742 vulnerability in Cisco IOS and IOS XE Software allows remote code execution via SNMP. The catalog aims to help organizations prioritize remediation efforts and reduce the significant risk of known vulnerabilities.
Red Hat has released security updates for multiple products, including the Linux kernel in CodeReady Linux Builder, Enterprise Linux, Enterprise Linux Server, and Virtualization Host 4. The updates address vulnerabilities that could be exploited by attackers. Users and administrators are encouraged to apply the updates as soon as possible to protect their systems from potential attacks.
Google has released an emergency security update for its Chrome web browser to address a high-severity integer overflow vulnerability in Skia. The second zero-day vulnerability found to be exploited in attacks this year. The flaw was discovered by Clément Lecigne of Google's Threat Analysis Group and could lead to arbitrary code execution, memory corruption, and unauthorized system access. It is recommended that all Chrome users apply the available update to their browsers as soon as possible to protect against these exploits.
PaperCut, a popular printing management software developer, is urging its customers to update their software immediately as hackers are exploiting flaws to access vulnerable servers. The company received reports from cybersecurity expert Trend Micro on January 10th, 2023, informing them of two high and critical severity flaws impacting PaperCut MF/NG. The vulnerabilities are actively exploited by hackers, and the company recommends upgrading to the latest versions to protect against attacks.
The United Kingdom's National Cyber Security Centre (NCSC) has issued an alert warning of a new class of state-aligned Russian hacktivists who pose a heightened threat to organizations. While the risk of causing serious damage to valuable networks is considered low, the NCSC advises all organizations to apply recommended security measures, particularly regarding secure system administration. The NCSC has published a guide containing a list of actions organizations should take during elevated cyber threats, including system patching, access control verification, functioning defenses, logging and monitoring, and incident planning.
CYFIRMA, a cybersecurity firm, has detected a recent cyber-attack on an individual living in Kashmir, India, using two disguised chat apps malware pieces: Ten Messenger.apk and Link Chat QQ.apk. Investigation of these samples links the attack to DoNot APT, a group with a long-standing record of activity in the area, which has previously targeted entities in South Asian regions such as India, Pakistan, and Bangladesh. The malicious app conceals itself from the main menu and requests the victim's permission to enable Accessibility by turning on "Link Chat," allowing threat actors to access personal data and track live movement.
领英推荐
Transparent Tribe, also known as APT36, has targeted Indian government agencies with a new Linux backdoor called Poseidon. The malware is delivered through a fake version of the Indian government-mandated 2FA software Kavach. Poseidon provides attackers with a range of capabilities, including logging keystrokes and taking screenshots. Users working within the Indian government are advised to be cautious of URLs received in emails to avoid falling victim to this social engineering attack. The repercussions of the APT36 attack could include the loss of sensitive information, financial losses, and reputational damage.
Point32Health, a prominent healthcare provider based in Canton, Massachusetts, suffered a ransomware attack that forced its systems offline. The attack disrupted access to healthcare services for over 2 million customers and affected systems used for member services, accounts, brokers and providers. Point32Health is working around the clock to provide workarounds for members to receive services and has contacted law enforcement to initiate an ongoing investigation.
Online rental marketplace start-up Rentomojo, which allows users to rent furniture, utilities and motorbikes on a subscription basis, reported a data breach that affected its 1.5 lakh subscribers. The breach involved unauthorized access to one of the startup's databases and may have exposed personally identifiable information. Rentomojo has taken measures to secure its database and encrypt all information stored within it, implement multi-factor authentication, and undergo ongoing security audits to identify and mitigate further risks.
The Consumer Financial Protection Bureau (CFPB) has reported a “major incident” of a former employee sending confidential consumer data to their personal email account. This affected around 256,000 people with their personally identifiable information, including transaction-specific account numbers, being compromised. The CFPB stated that it has not found any evidence of further dissemination of the confidential data, but the former employee has refused to provide evidence that it has been deleted.
???Cyber News
Last month saw a 91% increase in ransomware attacks, reaching a record high of 459 incidents, according to cybersecurity analysts NCC Group. The surge was due to a vulnerability in Fortra's GoAnywhere MFT secure file transfer tool that Clop exploited as a zero-day to steal data from 130 companies within ten days. The most targeted sector was "Industrials," accounting for 32% of the recorded attacks, followed by "Consumer Cyclicals," "Technology," "Healthcare," "Basic Materials," "Financials," and "Educational Services."
Microsoft has identified an Iranian government-backed actor, known as Mint Sandstorm, as being responsible for cyberattacks on critical infrastructure in the U.S. between late 2021 and mid-2022. The targeted entities included seaports, energy companies, transit systems, and a major U.S. utility and gas company. The attacks are thought to be in retaliation for cyberattacks that targeted Iran's maritime, railway, and gas station payment systems.
Safe Security, a Silicon Valley-based startup, has secured $50 million in Series B funding led by Sorenson Capital, along with Eight Roads, Fidelity Investments, and Telstra Ventures. The company uses a scoring algorithm to measure a company's security posture and provide an aggregated view of enterprise cyber risk. Safe Security aims to provide cybersecurity teams with visibility across their entire attack surface, technology, people, and third parties to automate and measure exposure to risk, fulfilling the needs of regulators and cyber insurance.
Denis Mihaqlovic Dubnikov, the Russian national who admitted to laundering money for the Ryuk ransomware group, has been sentenced to time served. Dubnikov allegedly laundered at least $70 million in ransom proceeds for the group. He pleaded guilty to one count of conspiracy to commit money laundering in February 2023 and was sentenced to time served and ordered to pay $2,000 in restitution. The Ryuk ransomware operation was estimated to be worth $150 million before it was gradually replaced by Conti over the course of 2020 and 2021.
Subscribe ?and Comment.
Copyright ? 2023?CyberMaterial . All Rights Reserved.
Follow CyberMaterial on: