Cybersecurity Digest #55: 25/07/2022 – 05/08/2022

Cybersecurity news

  • The Cybersecurity and Infrastructure Security Agency has added the Zimbra CVE-2022-27824 flaw to its ‘Known Exploited Vulnerabilities Catalog,’ indicating that it is actively exploited in attacks by hackers. This high-severity vulnerability allows an unauthenticated attacker to steal email account credentials in cleartext form from Zimbra Collaboration instances without user interaction.
  • Researchers at Trellix have discovered a critical unauthenticated remote code execution vulnerability impacting 29 models of the DrayTek Vigor series of business routers. The attacker does not need credentials or user interaction to exploit the vulnerability, with the default device configuration making the attack viable via the internet and LAN.
  • Security researchers have discovered a new vulnerability called ParseThru affecting Golang-based applications that could be abused to gain unauthorized access to cloud-based applications. The issue has to do with inconsistencies stemming from changes introduced to Golang’s URL parsing logic that’s implemented in the “net/url” library.
  • No More Ransom, the initiative launched to help victims of ransomware decrypt their files, celebrates its six-year anniversary. Since the launch, it has grown from four partners to 188 and has contributed 136 decryption tools covering 165 ransomware families. In doing so, it has helped more than 1.5 million people decrypt their devices all over the world – with the project available in 37 languages.
  • A new phishing as a service platform named ‘Robin Banks’ has been launched, offering ready-made phishing kits targeting the customers of well-known banks and online services. The targeted entities include Citibank, Bank of America, Capital One, Wells Fargo, PNC, U.S. Bank, Lloyds Bank, the Commonwealth Bank in Australia, and Santander. Additionally, Robin Banks offers templates to steal Microsoft, Google, Netflix, and T-Mobile accounts.
  • Microsoft says attackers increasingly use malicious Internet Information Services web server extensions to backdoor unpatched Exchange servers as they have lower detection rates compared to web shells. Because they’re hidden deep inside the compromised servers and often very hard to detect being installed in the exact location and using the same structure as legitimate modules, they provide attackers’ with a perfect and durable persistence mechanism.

Cybersecurity Blog Posts

Research and analytics

  • Check Point Research reports that the second quarter of 2022 saw an all-time peak, where global cyber-attacks increased by 32%, compared to Q2 2021. The average weekly attacks per organization worldwide reached a peak of 1.2K attacks. Education and research sector continues to be the most heavily attacked industry, seeing a 53% increase year-over-year. Globally, 1 out of 40 organizations were impacted by Ransomware attacks, a worrying 59% increase year-over-year.
  • Software vulnerabilities remain a key avenue of initial access for attackers according to the 2022 Unit 42 Incident Response Report. Experts found that they were the suspected initial access vector of intrusion in 31% of our cases, second only to phishing at 37%.
  • A recent survey by Gurucul  has shown that 73.48% of organisations feel they have wasted the majority of their cybersecurity budget on failing to remediate threats, despite having an over-abundance of security tools at their disposal.
  • IBM has just released the new 2022 Cost of a Data Breach Report. This year the cost of a data breach has reached an all-time high of $4.35M. With breach costs increasing nearly 13% over the last two years of the report, the findings suggest these incidents may also be contributing to rising costs of goods and services.
  • The Recorded Future report Bots for Stealing One-Time Passwords Simplify Fraud Schemes  details how one-time password (OTP) bypass bots work, how they fit into existing fraud schemes, and the threats they pose to individuals and financial institutions. The report also includes a tutorial on how cybercriminals configure and use OTP bypass bots.
  • A Panaseer survey of global insurers across the UK and US found that 82% are expecting the rise in premiums to continue, with 74% of insurers agreeing that their inability to accurately understand a customer’s security posture is impacting price increases.
  • CYTRIO released findings from additional independent research it conducted during Q1 2022 on the state of companies’ readiness to comply with the California Consumer Privacy Act (CCPA), California Privacy Rights Act (CPRA), and the European Union’s General Data Protection Regulation (GDPR). As of March 31, 2022, the findings uncovered that 90% of companies are not fully compliant with CCPA and CPRA Data Subject Access Request (DSAR) requirements. Further, 95% of companies are using error prone and time consuming manual processes for GDPR DSAR requirements.
  • Nearly a third of businesses are being reckless with customer data, according to a new study by Toinic.ai. A poll of 1,000 American business professionals and software developers finds that 29% use unprotected production data (real customer data) in testing environments when testing and troubleshooting their company’s software — increasing the risk of exposure in the event of a data breach.
  • Proofpoint has observed the use of VBA and XL4 Macros decrease approximately 66% from October 2021 through June 2022, based on campaigned data. Proofpoint has also observed a slight increase in threat actors using HTML attachments to deliver malware. The number of malware campaigns using HTML attachments more than doubled from October 2021 to June 2022, but the overall number remains low. Researchers also observed threat actors increasingly adopt HTML smuggling, a technique used to “smuggle” an encoded malicious file within a specially crafted HTML attachment or web page.
  • According to Coveware statistics, the average ransom payment increased 8% from Q1 2022 to $228,125. While the average was pulled up by several outliers, the median ransom payment actually decreased to $36,360, a 51% decrease from Q1 2022.

Major Cyber Incidents

  • Twitter was forced to investigate the incident when a hacker offered the personal details of 5.4 million Twitter users on a hacker forum for $30,000 last month. Twitter confirmed that a threat actor exploited a vulnerability that risked user privacy on the platform. The company revealed that this breach had a “global impact,” and it is yet unclear exactly how many Twitter accounts got impacted.
  • United Kingdom’s National Health Service 111 emergency services are affected by a significant and ongoing outage triggered by a cyberattack that hit the systems of British managed service provider Advanced. Advanced’s Adastra client patient management solution, which is used by 85% of NHS 111 services, has been hit by a major outage together with several other services provided by the MSP, according to a status page.
  • The Association of German Chambers of Industry and Commerce (DIHK) was forced to shut down all of its IT systems and switch off digital services, telephones, and email servers, in response to a cyberattack. The organization deals with legal representation, consultation, foreign trade promotion, training, regional economic development, and offers general support services to its members.
  • German power electronics manufacturer Semikron revealed that it has been targeted in a cyberattack. In a notice posted on its website, Semikron said it had been targeted by ‘a professional hacker group’. The company said the incident resulted in the partial encryption of IT systems and files.
  • Solana, an increasingly popular blockchain known for its speedy transactions, has become the target of the crypto sphere’s latest hack after users reported that funds have been drained from internet-connected “hot” wallets. An unknown actor drained funds from approximately 8,000 wallets on the Solana network, Solana’s Status Twitter account said. It’s estimated the loss so far is around $8 million.
  • Hackers have targeted an official website for booking COVID-19 vaccinations, Italian authorities have said. The website of Lazio, the region of Rome, was unavailable for several hours, the municipality confirmed on social media. The “powerful” cyberattack prevented citizens from booking appointments for a coronavirus vaccine, as well as other services.