Cybersecurity Digest #47: 04/04/2022 – 15/04/2022

Cybersecurity news

• Elementor, a WordPress website builder plugin with over five million active installations, has been found to be vulnerable to an authenticated remote code execution flaw, that could be abused to take over affected websites.
• Threat actors have launched a new marketplace called Industrial Spy that sells stolen data from breached companies, as well as offering free stolen data to its members. Industrial Spy promotes itself as a marketplace, where businesses can purchase their competitors’ data to gain access to trade secrets, manufacturing diagrams, accounting reports, and client databases.
• Hackers are increasingly targeting DeFi cryptocurrency platforms. In 2021 alone, about $3.2 billion worth of digital assets were stolen, which was already an explosion compared to previous years. The trajectory for 2022 looks to be even more aggressive, with almost $1.3 billion already stolen during the Q1 alone.
• Cisco has released a security advisory to warn about a critical vulnerability (CVSS v3 score: 10.0), tracked as CVE-2022-20695, impacting the Wireless LAN Controller software. The security flaw allows remote attackers to log in to target devices through the management interface without using a valid password.
• A proof-of-concept exploit has been released online for the VMware CVE-2022-22954 remote code execution vulnerability, already being used in active attacks that infect servers with coin miners. The vulnerability is a critical (CVSS: 9.8) remote code execution impacting VMware Workspace ONE Access and VMware Identity Manager, two widely used software products.
• The Cybersecurity and Infrastructure Security Agency (CISA) has added ten new security bugs to its list of actively exploited vulnerabilities, including a high severity local privilege escalation bug in the Windows Common Log File System Driver.
• GitHub has announced, that it expanded its code hosting platform’s secrets scanning capabilities for GitHub Advanced Security customers to block secret leaks automatically. Secret scanning is an advanced security option, that organizations using GitHub Enterprise Cloud with a GitHub Advanced Security license can enable for additional repository scanning.
• A new WhatsApp phishing campaign impersonating WhatsApp’s voice message feature has been discovered, attempting to spread information-stealing malware to at least 27,655 email addresses.

Cybersecurity Blog Posts

• Todd Schell, Senior Product Manager of Ivanti, analyzed the released security updates of Microsoft, Apple, VMware, Adobe, Google and other vendors, and gave comments on the planned updates of the companies.
• Google’s blog has released a post about an improving software supply chain security with tamper-proof builds.
• Zur Ulianitzky, Head of Research at XM Cyber, talked about the top attack techniques used by threat actors to compromise critical assets in enterprise and cloud environments.
• CIS presented a guidance for achieving essential cyber hygiene. These recommendations can help organizations to protect themselves from most malicious techniques.

Research and analytics

• According to the 2022 Cyber Threat Defense Report, 71% of organizations suffered from ransomware attacks last year, up from 55% in 2017. Of those, who were victimized, almost 63% paid the requested ransom, up from 39% in 2017.
• A study by Javelin 2022 Identity Fraud Study showed, that traditional identity fraud losses, those involving any use of a consumer’s personal information to achieve illicit financial gain, amounted to $24 billion and ensnared 15 million U.S. consumers. Losses involving identity fraud scams, involving direct contact with victims by criminals, totaled $28 billion and affected 27 million consumers in the United States.
• According to Software Device Research, 49% of small practices and 15% of large practices don’t have a codified plan of action in the event of a data breach or cyberattack.
• According to Check Point Research, in the first weekend spots 37K attempts to allocate the Spring4Shell vulnerability. During the first 4 days 16% of the organizations worldwide were impacted by exploitation attempts.
• According to the latest report by Dragos, hackers pose a serious threat to the European industrial infrastructure. Currently, industrial enterprises in Europe are being attacked by at least ten cybercrime groups – Xenotime, Magnallium, Electrum, Allanite, Chrysene, Kamacite, Covellite, Vanadinite, Parisite and Dymalloy.
• Experts of Check Point Research found anti-virus apps on the Google Play store disguised as legitimate, which downloaded and installed android malware. At least six different apps with over 15,000 total downloads were spreading the malware: Atom Clean-Booster, Alpha Antivirus, Center Security etc. Moreover, dubbed “Sharkbot” the malware steals credentials and banking information.
• Intel has published the results of a study on how organizations approach security innovations. The main findings show, that companies value innovative security products when purchasing technologies and services, especially at the equipment level.
• Splunk and Enterprise Strategy Group has released the annual global report State of Security 2022, which examines the security challenges facing a modern enterprise. More than 1,200 security service managers took part in the survey. In their opinion, there is an increase in the number of cyber attacks and at the same time a shortage of personnel.
• The team of Paloalto researchers has released the report The Latest Unit 42 Cloud Threat Research. As a result, the ongoing transition to cloud platforms has meant that more sensitive data is stored in the cloud, making it more tempting for adversaries to exploit. When it comes to securing the cloud, identity is the first line of defense. Without proper identity and access management (IAM) policies in place, an organization can pay for any number of security tools – but comprehensive security will never be possible.
• Kaspersky Lab shared what it learned about Black Cat ransomware. According to the report, BlackCat uses a modified version of a closed tool called Fender, which was previously used only by BlackMatter.

Major Cyber Incidents

• GitHub revealed that an attacker is using stolen OAuth user tokens to download data from private repositories. Since this campaign was first spotted, the threat actor has already accessed and stolen data from dozens of victim organizations using Heroku and Travis-CI-maintained OAuth apps, including npm.
• Florida International University has been impacted by the BlackCat ransomware gang. According to The Record, a news site by cybersecurity firm Recorded Future. While BlackCat has claimed to have stolen 1.2TB of data from FIU, including accounting documents, contracts, email databases, and Social Security numbers.
• A regional U.S. government agency compromised with LockBit ransomware had the threat actor in its network for at least five months before the payload was deployed, security researchers found.
• Japanese tech giant Panasonic has confirmed its Canadian operations were hit by a cyberattack, less than six months after the company last fell victim to hackers.
• Insikt Group specialists reported cyber attacks on the networks of seven Indian State Load Dispatch Centers (SLDC), which perform real-time operations to control the network and dispatch electricity.
  Block has confirmed a data breach involving a former employee who downloaded reports from Cash App that contained some U.S. customer information.
• A cybercrime group has leaked several gigabytes of files allegedly stolen from US industrial components giant Parker Hannifin. The company specialize in motion and control technologies, and it provides precision engineered solutions for organizations in the aerospace, mobile, and industrial sectors.
• Email marketing firm MailChimp disclosed, that they had been hit by hackers, who gained access to internal customer support and account management tools, to steal audience data and conduct phishing attacks.