Cybersecurity Digest #46: 21/03/2022 – 01/04/2022

Cybersecurity news

• Threat actors are abusing the popular Chocolatey Windows package manager in a new phishing campaign to install new ‘Serpent’ backdoor malware on systems of French government agencies and large construction firms.
• The Cybersecurity and Infrastructure Security Agency (CISA) has added a massive set of 66 actively exploited vulnerabilities to its catalog of ‘Known Exploited Vulnerabilities’. These flaws have been observed in real cyberattacks against organizations, so they are published to raise awareness to system administrations and serve as official advisories for applying the corresponding security updates.
• A new remote access trojan (RAT) named Borat has appeared on darknet markets, offering easy-to-use features to conduct DDoS attacks, UAC bypass, and ransomware deployment. As a RAT, Borat enables remote threat actors to take complete control of their victim’s mouse and keyboard, access files, network points, and hide any signs of their presence.
• Taiwan-based network-attached storage (NAS) maker QNAP warned that most of its NAS devices are impacted by a high severity OpenSSL bug. Attackers can exploit the vulnerability, tracked as CVE-2022-0778, to trigger a denial of service state and remotely crash unpatched devices.
• A Mirai-based distributed denial-of-service (DDoS) botnet tracked as Beastmode (aka B3astmode) has updated its list of exploits to include several new ones, three of them targeting various models of Totolink routers. By taking control of the vulnerable routers, Beastmode has access to hardware resources that allow it to launch DDoS attacks.
• The Federal Communications Commission added Russia’s AO Kaspersky Lab, China Telecom (Americas) Corp and China Mobile International USA to its list of communications equipment and service providers deemed threats to U.S. national security. Previously, companies such as Huawei and ZTE have already been included in this list.
• Japanese cybersecurity software firm Trend Micro has patched a high severity security flaw in the Apex Central product management console that can let attackers execute arbitrary code remotely.
• Researchers from Fortinet have observed the Chinese APT group Deep Panda exploiting a Log4Shell exploit to compromise VMware Horizon servers and deploy previously undetected Fire Chili rootkit.

Cybersecurity Blog Posts

• Dotan Nahum, a CheckPoint expert, listed nine of the best Git solutions for scanning secrets that can be added to the SecOps toolkit.
• Tim Erlin has shared opinion about a growing trend towards shorter timeframes for reporting of cybersecurity incidents. The author highlighted that the importance of the trend of timely reporting, so that it is balanced with an emphasis on the quality and completeness of data.
• Michael Jonkmans in the NVISO Labs blog briefly reviewed the basic principles of vulnerability management and how it can help protect an organization from threats and attackers trying to exploit weaknesses.
• CheckPoint experts analyzed the increasing number of attacks on mobile devices, the types of such attacks and ways to protect against them. As the mobile ecosystem continues to expand, so will the attack surface area available to attackers.

Research and analytics

• The Menlo Labs research team has studied a new class of cyber threats attackers are using to successfully launch ransomware and phishing attacks, dubbed Highly Evasive Adaptive Threats (HEAT). Specifically, ESG research has found that 36% of organizations have experienced attempted ransomware attacks on a daily, weekly, or monthly basis, while an additional 27% have encountered ransomware on a sporadic basis over the last 12 months.
• Cequence has published a report API Security Threat Report: Bots and Automated Attacks Explode. The numbers prove that both developers and attackers have made the shift — of the 21.1 billion transactions analyzed by Cequence Security in the last half of 2021, 14 billion
  (70%) APIs.
• The FBI’s Internet Crime Complaint Center (IC3) has released its annual report. It includes information from 847,376 complaints of suspected internet crime—a 7% increase from 2020—and reported losses exceeding $6.9 billion. The most destructive Internet crime in 2021 was the compromise of business email. In 2021, the FBI received almost 20 thousand complaints about BEC attacks and estimated losses of almost $2.4 billion.
• Paoloalto has published a Unit 42 Ransomware Threat Report. Innovations have made harder for organizations to defend against ransomware, forcing some to make the hefty sorts of payments. The average ransom demand on cases worked by Unit 42 consultants last year climbed 144% to $2.2 million, while the average payment rose 78% percent to $541,010.
• According to The 2021 Vulnerability Intelligence Report by Rapid7, the average time to known exploitation for vulnerabilities in this report is 12 days in 2021 compared with 42 days for vulnerabilities in our 2020 report — a 71% decrease.
• Engineering controllers of Tekon, which are used, among other things, to control elevators, are vulnerable to hacking from any corner of the Internet, believes information security specialist Jose Bertin. Many of them have direct access from the Network, and their owners are in no hurry to change the standard administrator password.
• According to Netscout Threat Intelligence Report attackers started launching more potent direct-path attacks to take down user applications and services, thereby disrupting consumers’ ability to access the internet. Meanwhile, they continued to innovate with server-class botnets and increased use of DDoS techniques such as carpet-bombing.
• Kaspersky Lab has published an analysis of the market of fishing-kits – tools for quickly creating fake websites and collecting data stolen with their help. In total, over the past year, experts have discovered and blocked about 1.2 million phishing pages created with the help of fishing-kits.
• In the post describes the technical analysis of a new campaign detected by Intezer’s research team, which initiates attacks with a phishing email that uses conversation hijacking to deliver IcedID.

Major Cyber Incidents

• IT and software consultancy firm Globant has confirmed that they were breached by the Lapsus$ data extortion group, where data consisting of administrator credentials and source code was leaked by the threat actors. As part of the leak, the hacking group released a 70GB archive of data stolen from Globant, describing it as “some customers source code”.
• Okta, a major provider of access management systems, says that 2.5%, or approximately 375 customers, were impacted by a cyberattack claimed by the Lapsus$ data extortion group.
• ELTA, the state-owned provider of postal services in Greece, has disclosed a ransomware incident detected. More specifically, its IT teams have determined that the threat actors exploited an unpatched vulnerability to drop malware that allowed access to one workstation using an HTTPS reverse shell.
• Threat actors have stolen almost $625 million in Ethereum and USDC tokens from Axie Infinity’s Ronin network bridge. The attackers have stolen roughly 173,600 ether and 25.5 million USDC. The Ronin bridge and Katana Dex have been halted following the attack.
• The Lapsus$ gang posted a screenshot to their Telegram channel indicating that they hacked Microsoft’s Azure DevOps server containing source code for Bing, Cortana, and various other internal projects. Moreover, the hacking group posted a torrent for a 9 GB 7zip archive containing the source code of over 250 projects that they say belong to Microsoft.
• Online retail and photography manufacturing platform Shutterfly has disclosed a data breach that exposed employee information after threat actors stole data during a Conti ransomware attack.