Cybersecurity Digest #67: 23/01/2023 – 08/02/2023

Cybersecurity news

• Fortra has released an emergency patch to address an actively exploited zero-day vulnerability in the GoAnywhere MFT secure file transfer tool. The vulnerability allows attackers to gain remote code execution on vulnerable GoAnywhere MFT instances whose administrative console is exposed online.
• Taiwanese company QNAP has released updates to remediate a critical security flaw affecting its network-attached storage devices that could lead to arbitrary code injection. Tracked as CVE-2022-27596, the vulnerability is rated 9.8 out of a maximum of 10 on the CVSS scoring scale. It affects QTS 5.0.1 and QuTS hero h5.0.1.
• The development team behind the open-source password management software KeePass is disputing what is described as a newly found vulnerability that allows attackers to stealthily export the entire database in plain text. To secure these local databases, users can encrypt them using a master password so that malware or a threat actor can’t just steal the database and automatically gain access to the passwords stored within it.
• Tokyo police and over 100 technology firms commenced a drill to counter ransomware cyberattacks ahead of the Group of Seven summit, set to be held in May in the western Japan city of Hiroshima. With the drill, which includes companies that possess technology related to infrastructure, the Metropolitan Police Department aims to strengthen ties and increase vigilance against computer virus attacks.
• Printer and imaging products manufacturer Lexmark published a security advisory to warn users of a critical vulnerability impacting over 120 printer models. The issue, tracked as CVE-2023-23560 (CVSS score of 9.0), is described as a server-side request forgery flaw in the Web Services feature of newer Lexmark devices, which could be exploited to execute arbitrary code.
• An increasing number of threat actors have started relying on the command-and-control (C2) framework Sliver as an open-source alternative to tools such as Metasploit and Cobalt Strike. Security researchers at Cybereason described the new phenomenon in an advisory published, adding that Sliver is gaining popularity due to its modular capabilities (via Armory), cross-platform support and vast number of features.

Cybersecurity Blog Posts

• CheckPoint experts described 12 Ways to make ZTNA deployments effortless. The recommendations will help protect any asset in a matter of minutes, for example, cloud or on-premises data centers, applications and resources with minimal access rights, data protection and threat prevention.
• In the blog WhatIs.com the Top 10 podcasts on information security have been published. The podcasts feature analyses of the latest cyberattacks and high-profile incidents, stories from Darkweb, expert opinions and news reviews.
• Sophos News specialists briefly talked about what people need to know about international requirements for the protection of personal data and the prospects for their development in 2023. Most of the documents described relate to the legislation of the United States, Canada and China.

Research and analytics

• The team at DFIR Report has a summary of how threat actors have adopted and are now abusing Invoke-ShareFinder, a script part of the PowerView module of the PowerSploit framework. The script allows users to find all network shares inside a large network, which can be very useful for threat actors trying to find a victim’s data and steal it or encrypt it.
• Check Point has put out its quarterly phishing report. The top most-used brand in phishing emails in Q4 2022 was Yahoo. DHL reached second position in Q4 with 16% of all brand phishing attempts, ahead of Microsoft in the third place with 11%.
• According to year-in-review report of Wordfence, while credential stuffing attacks have remained the top threat for WordPress site operators in 2022, the number of attacks “saw a significant reduction” compared to the previous year. A total of 1.2 million WordPress sites appear to have been hacked last year, and of these, 210,000 appeared infected at the start and end of the year, meaning there was no one maintaining them.
• Insider threats are a top concern at organizations of all kinds. Only 3% of respondents surveyed are not concerned with insider risk, according to Gurucul. The report found that organizations have never felt more vulnerable with three-quarters of respondents saying they feel moderately to extremely vulnerable to insider threats – an increase of 8% over the previous year.
• Researchers from Cisco Talos reported that one particular commercial RMM tool called Syncro was observed in a third of the incident response cases the company was engaged in during the fourth quarter of 2022. However, this wasn’t the only such tool used.
• Proofpoint researchers have published a report about a new campaign targeting Microsoft 365 users that aims to trick them into authorizing malicious third-party OAuth apps on their accounts.
• According to blockchain analysts from Chainalysis, revenues from extortionate attacks fell from $765.6 million in 2021 to $456.8 million in 2022. Experts explain this drop by more than 40% by many factors, but the main reason is simple: more and more victims refuse to pay hackers.

Major Cyber Incidents

• Toyota’s Global Supplier Preparation Information Management System was breached by a security researcher who responsibly reported the issue to the company. The security researcher, who publishes under the pseudonym EatonWorks, discovered a “backdoor” in Toyota’s system that allowed anyone to access an existing user account as long as they knew their email.
• The LockBit ransomware operation has claimed the cyberattack on UK’s leading mail delivery service Royal Mail that forced the company to halt its international shipping services due to “severe service disruption.”
• UK engineering company Vesuvius Plc said it’s managing a cyber-security incident involving unauthorized access to its systems. The molten metal flow control firm has shut down affected systems and initiated steps to assess the scale of the attack. The shares fell as much as 3.1% in early trading in London.
• PeopleConnect, the owners of the TruthFinder and Instant Checkmate background check services, confirmed they suffered a data breach after hackers leaked a 2019 backup database containing the info of millions of customers.
• Threat actors are auctioning the alleged source code for Riot Game’s League of Legends and the Packman anti-cheat software, confirmed to be stolen in a recent hack of the game company’s developer environment. Riot Games disclosed that its development environment had been hacked, allowing threat actors to steal source code for League of Legends, Teamfight Tactics, and the company’s Packman legacy anti-cheat platform.
• Cybercriminals duped federal employees into downloading remote monitoring and management software and then used it to execute scams to steal money from victims’ bank accounts. The joint alert from the Cybersecurity and Infrastructure Security Agency, National Security Agency and Multi-State Information Sharing and Analysis Center did not specify which agencies were affected, but noted that at least two were victims.