Cybersecurity Digest #63: 14/11/2022 – 28/11/2022

Cybersecurity news

• Google has released an emergency security update for the desktop version of the Chrome web browser, addressing the eighth zero-day vulnerability exploited in attacks this year. The high-severity flaw is tracked as CVE-2022-4135 and is a heap buffer overflow in GPU, discovered by Clement Lecigne of Google’s Threat Analysis Group on November 22, 2022.
• Over 1,600 publicly available Docker Hub images hide malicious behavior, including cryptocurrency miners, embedded secrets that can be used as backdoors, DNS hijackers, and website redirectors. Docker Hub is a cloud-based container library allowing people to freely search and download Docker images or upload their creations to the public library or personal repositories.
• Windows gamers and power users are being targeted by fake MSI Afterburner download portals to infect users with cryptocurrency miners and the RedLine information-stealing malware. The MSI Afterburner is a GPU utility that allows you to configure overclocking, create fan profiles, perform video capturing, and monitor your installed graphics cards’ temperature and CPU utilization.
• Cybercriminals are increasingly turning to a new Go-based information stealer named ‘Aurora’ to steal sensitive information from browsers and cryptocurrency apps, exfiltrate data directly from disks, and load additional payloads.
• A crypto-stealing phishing campaign is underway to bypass multi-factor authentication and gain access to accounts on Coinbase, MetaMask, Crypto.com, and KuCoin and steal cryptocurrency. The threat actors abuse the Microsoft Azure Web Apps service to host a network of phishing sites and lure victims to them via phishing messages impersonating bogus transaction confirmation requests or suspicious activity detection.
• Security researchers have warned of a new ransomware variant that not only encrypts the victim’s files but also attempts to steal data by enabling a Discord account takeover (ATO). Aimed at consumers, the “AXLocker” ransomware functions in a fairly typical way, targeting certain file extensions with AES encryption, before extorting the victim.

Cybersecurity Blog Posts

• Anton Chuvakin continued the topic of Site Reliability Engineering recommendations for SOC. This time it’s about simplicity and how it helps security – simple systems and processes are easier to protect and monitor for threats.
• Ben Mаuch, who discovered the Kerberoast attack earlier in 2018, demonstrated how he managed to bypass his own Kerberoast detection using Orpheus and finding many other systems with minor changes to the Kerberos request.
• Eset has dedicated a post to what security fatigue is and how dangerous it is. Employees risk valuable data more because they lose sensitivity to security recommendations. It’s important to notice these symptoms before it’s too late.

Research and analytics

• Trend Micro has published a write-up on CVE-2022-32895, a vulnerability in the macOS PackageKit Framework that can be used by malicious apps to modify protected parts of the file system. The vulnerability is a variation of the older CVE-2019-8561 vulnerability.
• The US National Security Agency issued guidance, recommending that developers and organizations look into using memory-safe languages when coding new applications as a way to avoid common “poor memory management issues” that could allow threat actors to exploit their software and abuse or steal user data.
• In its annual threat assessment report, the Swiss government said that it sees cybercrime, and specifically ransomware, as the main cyber threat to the country’s critical infrastructure, as opposed to state-backed APT groups.
• Veeam Software released the findings of the company’s Cloud Protection Trends Report 2023, covering four key “as a Service” scenarios: Infrastructure as a Service, Platform as a Service, Software as a Service, and Backup and Disaster Recovery as a Service. Nearly 90% of Microsoft 365 customers surveyed use supplemental measures rather than relying solely on built-in recovery capabilities.
• A research from Tessian, the State of Email Security Report, found that enterprise email is now the №1 threat vector for cyberattacks. According to the report, 94% of organizations experienced a spear phishing or impersonation attack, and 92% suffered ransomware attacks over email this year.
• Secureworks released  Emerging Cybersecurity Trends to Watch in 2023. New ransomware-as-a-service (Saas) schemes will continue to emerge, but the landscape will be dominated by a handful of cybercriminal groups operating a small number of very active schemes.
• SanSec researchers are reporting a rise in attacks probing Magento 2 and Adobe Commerce online stores for a vulnerability tracked as CVE-2022-24086. The vulnerability allows threat actors to place orders on vulnerable stores that exploit the site’s emailing feature to take over unpatched stores. Sansec said that based on their data, around 38% of all Magento and Adobe Commerce stores had not been patched for the vulnerability – as of November 2022.

Major Cyber Incidents

• Over 5.4 million Twitter user records containing non-public information stolen using an API vulnerability fixed in January have been shared for free on a hacker forum. The data consists of scraped public information as well as private phone numbers and email addresses that are not meant to be public.
• The Ragnar Locker ransomware gang has published stolen data from what they thought was the municipality of Zwijndrecht, but turned out to be stolen from Zwijndrecht police, a local police unit in Antwerp, Belgium. The leaked data reportedly exposed thousands of car number plates, fines, crime report files, personnel details, investigation reports, and more.
• The Vice Society ransomware operation has claimed responsibility for a cyberattack on Cincinnati State Technical and Community College, with the threat actors now leaking data allegedly stolen during the attack. The hackers posted a long list of documents on their Tor data leak site they claim was stolen from the college, indicating that a ransom was never paid.
• Sports betting company DraftKings said that it would make whole customers affected by a credential stuffing attack that led to losses of up to $300,000. Some victims have also expressed their frustration on social media because they were unable to get in contact with anyone at DraftKings while having to watch the attackers repeatedly withdrawing money from their bank accounts.
• Researchers discovered 1,550 mobile apps leaking Algolia API keys, risking the exposure of sensitive internal services and stored user information. Of those apps, 32 expose admin secrets, including 57 unique admin keys, giving attackers a way to access sensitive user information or modify app index records and settings.
• The FBI and CISA revealed in a joint advisory published that an unnamed Iranian-backed threat group hacked a Federal Civilian Executive Branch organization to deploy XMRig cryptomining malware. The attackers compromised the federal network after hacking into an unpatched VMware Horizon server using an exploit targeting the Log4Shell remote code execution vulnerability.