Cyber Briefing - 2023.07.03
The latest in cybersecurity: Proxyjacking Campaign, POWERSTAR Backdoor, WordPress, Samsung, DDoS, Akira Decryptor, Russia, LockBit, Dublin Airport, Meta, WhatsApp.
Welcome to?Cyber Briefing, the newsletter that informs you about the latest cybersecurity advisories, alerts, incidents and news every weekday.
First time seeing this? Please?subscribe.
???Cyber Alerts
A financially motivated campaign has been discovered, targeting vulnerable SSH servers to secretly enlist them into a proxy network. The attackers utilize SSH for remote access, running malicious scripts that covertly turn victim servers into peer-to-peer proxy nodes. Unlike cryptojacking, this proxyjacking technique allows threat actors to leverage the victim's unused bandwidth to run various services, providing reduced resource load and minimizing the chances of detection. This stealthier alternative poses serious implications, increasing the challenges of defending against proxied Layer 7 attacks.
Security firm Volexity has uncovered the activities of the Iran-linked Charming Kitten group, also known as APT35, Phosphorus, Newscaster, and Ajax Security Team. In their latest spear-phishing campaign, the group utilized an updated version of their PowerShell backdoor called POWERSTAR. Volexity's analysis revealed that Charming Kitten has been continuously evolving their malware alongside their spear-phishing techniques, demonstrating their persistent efforts to enhance their cyber espionage capabilities. The upgraded POWERSTAR backdoor incorporates anti-analysis measures, utilizes private hosting infrastructure, and employs sophisticated tactics, such as separating the decryption method from the initial code, making it harder to detect and analyze.
Wordfence researchers have uncovered a critical authentication bypass vulnerability in the miniOrange WordPress Social Login and Register plugin, potentially allowing unauthenticated attackers to gain access to any account on a site by knowing the associated email address. The flaw, affecting versions up to and including 7.6.4, stems from insufficient encryption on the user's login information, enabling threat actors to log in as any existing user, including administrators. Although partially patched in version 7.6.4, the vulnerability was fully addressed in version 7.6.5.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning regarding ongoing distributed denial-of-service (DDoS) attacks targeting U.S. organizations across multiple industry sectors. CISA advises organizations to proactively prepare their security teams to mitigate the impact of such attacks. Network administrators are urged to be ready to implement firewall rules and redirect malicious traffic through DoS protection services, while internet service providers (ISPs) can offer guidance on appropriate response measures.
The US Cybersecurity and Infrastructure Security Agency (CISA) has included multiple vulnerabilities found in Samsung smartphones in its Known Exploited Vulnerabilities Catalog, suggesting they have been targeted by a commercial spyware vendor. CISA added a total of eight new vulnerabilities to the catalog, including flaws in D-Link routers and access points exploited by a variant of the Mirai botnet. The Samsung vulnerabilities, which have all been patched by the company in 2021, range from out-of-bounds read and format string bugs to use-after-free and out-of-bounds access vulnerabilities.
Avast, the cybersecurity firm, has developed a powerful decryptor to assist victims of the Akira ransomware in recovering their data without paying a ransom. Akira, a notorious ransomware strain that targeted organizations worldwide, recently expanded its attacks to include Linux-based systems, including VMware ESXi virtual machines. Avast's analysis of Akira's encryption method and its partial file encryption approach likely contributed to the successful development of the decryptor, which offers options for backing up files and restoring data for affected users. Although the release of the decryptor may prompt Akira's operators to improve their encryption techniques, Avast continues to work on a Linux version of the tool for future victims.
In a concerning development, the LockBit ransomware gang's National Hazard Agency has listed Taiwan Semiconductor Manufacturing Company (TSMC), the global chip manufacturing leader, on its dark web leak site, demanding a hefty $70 million ransom to prevent the release of alleged data. While the exact nature of the compromised data remains unknown, TSMC has been given until August 6 to respond to the threat, with potential consequences including the publication of entry points, passwords, and logins. Additionally, it has been reported that TSMC supplier Kinmax Technologies experienced a cyberattack, potentially leading to the leak of server setup and configuration information.
领英推荐
At least 100,000 individuals are potentially impacted by a recent cyberattack on contractors at the Department of Health and Human Services, making it the latest US government agency to fall victim to a large-scale hack linked to Russian cybercriminals. The breach, connected to the exploitation of MOVEit Transfer software used by third-party vendors, allowed attackers to gain unauthorized access to data. Although HHS systems were not compromised, the incident highlights the widespread vulnerability and the extent of the cyberattack affecting numerous sectors across the US and UK, including finance, industry, law, healthcare, and technology.
Officials across multiple states are launching investigations into a series of cyberattacks on state-run websites, allegedly carried out by the politically motivated hacking group SiegedSec. The group targeted five state websites, defacing them and claiming to have stolen data. While their motives remain undisclosed in this attack, previous actions by SiegedSec have explicitly referenced political issues. Government authorities are working diligently to assess the extent of the breaches, identify vulnerabilities, and enhance security measures to prevent future incidents.
A recent cyber attack on professional service provider Aon has led to the compromise of pay and benefits information for nearly 2,000 staff members at daa, the operator of Dublin Airport. The attack targeted the file-transfer software tool MOVEit, which affected several global companies, including daa. The company has notified the Data Protection Commissioner and is offering support to affected employees, emphasizing its commitment to safeguarding sensitive personal information.
???Cyber News
The European Union Council and EU Parliament have reached a political agreement on the framework for a European Digital Identity, enabling citizens to access various private and public services securely using a single online ID. The proposal includes the introduction of a "high assurance" digital wallet as a national electronic ID, which citizens can voluntarily obtain for free. The agreement also emphasizes the adoption of common technical architecture, security standards, and compliance with cybersecurity regulations for digital wallets across the EU.
Poland's justice authorities have apprehended a professional ice hockey player on allegations of working as a spy for the Russian government. The player, described as a Russian national and a member of a first-division club, has been residing in Poland since 2021. Prosecutors claim that he was involved in espionage activities, including identifying critical infrastructure, and is the 14th member of the espionage network to be arrested. If convicted, he could face up to 10 years in prison. The arrest follows previous espionage cases in Poland involving individuals linked to Russian intelligence services, indicating heightened concerns over cybersecurity and potential cyberattacks.
WhatsApp, owned by Meta, has introduced updates to its proxy feature, expanding the range of content that can be shared in conversations. The enhancements include the ability to send and receive images, voice notes, files, stickers, and GIFs, offering users more options for communication. Additionally, the updates simplify the setup process and introduce shareable links for automatic installation of functioning proxy addresses, aiding users in bypassing government-imposed censorship and internet shutdowns. Internet shutdowns have become increasingly prevalent worldwide, with 80 shutdowns recorded in the first five months of 2023 alone, making these enhancements crucial for users affected by such restrictions.
In a shocking case, a compliance executive at a payments company has been charged with insider trading for allegedly accessing corporate deal details from his girlfriend's laptop, who worked as an executive assistant at an investment bank. Steven Teixeira repeatedly obtained confidential information on upcoming transactions and shared them with a friend, according to the U.S. Justice Department and Securities and Exchange Commission. The illicit activities took place during the Covid-19 pandemic while the couple worked from their shared home in Queens, N.Y.
Police in HCMC have apprehended a Vietnamese man for allegedly hacking into a major bank's system and embezzling VND10 billion ($424,000). The suspect, Duong Minh Tam, is accused of using computer networks and digital devices to appropriate property. Tam's arrest follows a report filed by the bank in HCMC, initiating an investigation into the incident.
Subscribe?and Comment.
Copyright ? 2023?CyberMaterial. All Rights Reserved.
Follow CyberMaterial on: