Cybersecurity Digest #56: 08/08/2022 – 19/08/2022

Cybersecurity news

  • Kaspersky linked with medium confidence the Maui ransomware operation to the North Korea-backed APT group Andariel, which is considered a division of the Lazarus APT Group. North Korean nation-state actors used Maui ransomware to encrypt servers providing healthcare services, including electronic health records services, diagnostics services, imaging services, and intranet services.
  • The young hacker based in Verona, Italy recently uploaded multiple malicious Python packages containing ransomware scripts to the Python Package Index (PyPI), supposedly as an experiment. According to the researchers at Sonatype who spotted the malicious code on PyPI, one of the packages (requesys) was downloaded about 258 times.
  • A group of researchers has revealed details of a new vulnerability affecting Intel CPUs that enables attackers to obtain encryption keys and other secret information from the processors. Dubbed AEPIC Leak, the weakness is the first-of-its-kind to architecturally disclose sensitive data in a manner that’s akin to an “uninitialized memory read in the CPU itself.”
  • Two researchers recently discovered security flaws in 5G IoT APIs that could allow attackers to access data or direct access to IoT devices on networks. The researchers presented their findings at the Blackhat security conference in Las Vegas.
  • A PoC exploit for a critical vulnerability has appeared on the network that threatens VMware products such as Workspace ONE Access, Identity Manager and vRealize Automation. The bug is an authentication bypass and allows attackers to gain administrator rights.
  • Researchers at Claroty’s Team82 developed a novel technique called the Evil PLC Attack in which programmable logic controllers (PLCs) are weaponized and used to compromise engineering workstations.
  • Group IB company engaged in information security, reported about the discovery of a new phishing scheme to steal the accounts of users of the digital distribution service Steam. To “hijack” accounts, attackers use recently described Browser-in-the-browser technique that allows you to create a fake pop-up browser window on a phishing site that is indistinguishable from the real one at first glance.
  • Positive Technologies researcher discovered two vulnerabilities in Mitsubishi controllers of the MELSEC iQ-F series. These devices are used in the food and light industries, woodworking, printing houses, water management, shipping, building engineering systems automation and other areas.
  • The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) warned US organizations that attackers deploying Zeppelin ransomware might encrypt their files multiple times. Zeppelin is a Ransomware as a Service (RaaS) operation whose malware went through several name changes from VegaLocker to Buran, VegaLocker, Jamper, and now Zeppelin.
  • A known malicious contributor has published two new Python packages trying to mimic popular ones to lure developers into downloading them and infect their machines with Cobalt Strike. This account was not disabled after the first attack, allowing the attacker to continue publishing malicious code while improving their techniques.

Cybersecurity Blog Posts

  • In late 2021, the Open Web Application Security Project® (OWASP®) Foundation released a revised list of the 10 most critical security risks to web applications. The OWASP Top 10 list is the foundation’s flagship project for guidance on securing web applications. (ISC)² experts discussed key changes in the Top 10 and how to use the list as a foundation for protecting applications.
  • Wiz Research found vulnerabilities in popular PostgreSQL-as-a-Service offerings of multiple cloud vendors. This post focuses on the previously undisclosed technical details of the research and reveals for the first time the exploration of the infrastructure of another major cloud provider, Google Cloud Platform (GCP), exploiting the same type of vulnerability to gain initial access to the environment.
  • During the last year and a half Quarkslab specialists studied the Titan M, a security chip introduced by Google in their Pixel smartphones, starting from the Pixel 3. In this blog post, they dive into CVE-2022-20233, the latest vulnerability they found on the chip’s firmware.
  • Shared responsibility model for cloud security is the fundamental concept — perhaps the most fundamental concept — in cloud security. However, there are many challenges with how this concept fares in the real world today. Anton Chuvakin in his blog try answering the question where does shared responsibility model for security breaks in the real world.

Research and analytics

  • Sophos has released The State of Ransomware in Financial Services 2022, discovering the impact of ransomware on financial services organizations experience over the last 12 months. The amount of attacks has increased comparing to the last year, while cybercriminals managed to encrypt data in more than half of the cases.
  • A group of researchers has published a study presenting the SQUIP attack, the first side-channel attack on scheduler queues, which are critical for deciding the schedule of instructions to be executed in superscalar CPUs.
  • According to Benchmarking Cyber Risk and Readiness by ExtraHop, a significant percentage of organizations expose insecure or highly sensitive protocols, including SMB, SSH, and Telnet, to the public Internet. The intentional or accidental use of these protocols expands the attack surface to any organization, providing attackers with an easy entry point to the network.
  • Lolcads tech experts revealed Exploration of the Dirty Pipe Vulnerability in the Linux kernel (CVE-2022-0847) which allows overwriting data in arbitrary read-only files. This leads to privilege escalation since unprivileged processes can inject code into root processes.
  • Historically, ransomware has targeted a number of high-value sectors – finance, professional services, the public sector – in wealthy countries, concentrating on the US and other G7 members. Recent attacks on countries such as Costa Rica, South Africa, Malaysia, Peru, Brazil and India illustrate the increased threat to governments, critical national infrastructure providers and businesses in middle-income and developing countries.
  • Abnormal Security Research revealed 265 different brands impersonated in phishing attacks. Of the more than 425,000 credential phishing attacks in which a brand was impersonated in the first half of 2022, 32% involved the impersonation of a social network, with LinkedIn being the most impersonated platform. After social networks, Microsoft products were the second most impersonated, with Outlook, OneDrive, Microsoft 365, and the parent company appearing in 20% of incidents.
  • The 2022 Ponemon Institute State of Cybersecurity and Third-Party Remote Access Security Report, sponsored by SecureLink, dives into the current state of cybersecurity and third-party security across industries. Organizations have an average annual IT budget of $365 million, $78.5 million of which is spent on cybersecurity infrastructure. In the last 12 months, organizations have spent an average $9+ million to remediate the impact of cyberattacks, and yet, 54% of these organizations have experienced a cyberattack within the same period of time.
  • Trend Micro experts found APT group Iron Tiger’s malware compromising chat application Mimi’s servers in a supply chain attack. The research showed that Iron Tiger’s interest in compromising victims using the three major platforms: Windows, Linux, and macOS.
  • Kaspersky researchers identified four suspicious packages in the Node Package Manager (npm) repository using the internal automated system for monitoring open-source repositories. All these packages contained highly obfuscated malicious Python and JavaScript code. They dubbed this malicious campaign “LofyLife”.

Major Cyber Incidents

  • A denial-of-service attack brought down the website of the Finnish Parliament. The deputy director general at the National Cyber Security Centre, on Tuesday confirmed to the public broadcasting company that the attack is under investigation, reminding that although denial-of-service attacks can bring down websites they do not mean that sensitive data has ended up in the wrong hands.
  • Acala, the decentralized hub of the Polkadot network, has suffered a major security breach, which promoted it to pass an urgent vote to pause operations. The hack was allegedly caused by a bug in the iBTC/AUSD pool. The security vulnerability allowed the attacker to issue an additional 1.2 Acala Dollar (AUSD) billion tokens.
  • South Staffordshire Water, a company supplying 330 million liters of drinking water to 1.6m consumers daily, has issued a statement confirming IT disruption from a cyberattack. As the announcement explains, the safety and water distribution systems are still operational, so the disruption of the IT systems doesn’t impact the supply of safe water to its customers or those of its subsidiaries, Cambridge Water and South Staffs Water.
  • CS.MONEY, one of the largest platforms for trading CS:GO skins, has taken its website offline after a cyberattack allowed hackers to loot 20,000 items worth approximately $6,000,000. CS.MONEY featuring 1,696 unique skins for 53 weapons and managing a total asset worth of $16,500,000, dropping to $10,500,000 after the attack.
  • Microsoft Employees Exposed Own Company’s Internal Logins. A cybersecurity firm found that Microsoft workers uploaded sensitive login credentials to Microsoft’s own systems to GitHub.