Cybersecurity Digest #73: 18/04/2023 – 02/05/2023

Cybersecurity news

• Apache Superset is vulnerable to authentication bypass and remote code execution at default configurations, allowing attackers to potentially access and modify data, harvest credentials, and execute commands.
• VMware has released security updates to address zero-day vulnerabilities that could be chained to gain code execution systems running unpatched versions of the company’s Workstation and Fusion software hypervisors.
• A new reflective Denial-of-Service amplification vulnerability in the Service Location Protocol allows threat actors to launch massive denial-of-service attacks with 2,200X amplification.
• A new side-channel hacking technique has been discovered affecting multiple generations of Intel processors. This attack method allows you to extract sensitive data about the EFLAGS registry and analyze command execution timing.
• Attackers are hacking into poorly secured and Interned-exposed Microsoft SQL servers to deploy Trigona ransomware payloads and encrypt all files. The MS-SQL servers are being breached via brute-force or dictionary attacks that take advantage of easy-to-guess account credentials.
• Threat actors behind the LockBit ransomware operation have developed new artifacts that can encrypt files on devices running Apple’s macOS operating system.

Cybersecurity Blog Posts

• Julien Vehent has published a post about the importance and need to develop stronger cybersecurity software development skills. The author focused on data development using the example of the history of detection and response development.
• In the Permiso blog, the researchers published an article on the use of cloud environments to compromise the SNS service and SMS capabilities. The author described the company’s experience in investigating an account compromise attack, in particular, an unsuccessful attempt by an attacker to use GetSMSAttributes.
• Julien Egloff in the Sunaktiv blog spoke about the hacker’s extraction of the “secrets” of LSASS, LSA and DPAPI during the post-operation of compromised Windows systems for horizontal or vertical movement. The article also provides an overview of the information contained in the “secrets”, the available tools for their recovery and the existing risks of detection.
• Anton Chuvakin shared his opinion on the released Mandiant 2023 M-Trends report in his blog. The author highlighted some points that he found in it surprising and not surprising. It is not surprising, for example, that the average global waiting time continues to improve from year to year, and the majority (48%) of threat groups have financial motives.

Research and analytics

• The median dwell time of an attacker inside a compromised network went down to 16 days last year, according to M-Trends 2023, a report compiled by Mandiant from data from its frontline incident response teams. The number has gone down from 21 days in 2021 and down from 416 days in 2011, suggesting companies have gotten better at detecting threat actors inside their networks.
• CISA has released a report outlining and describing the various parties and phases of the Software Bill of Materials sharing lifecycle. Seeks to assist users in executing a phase of the SBOM sharing lifecycle, the Report helps choose sharing platforms based on resources, effort, subject matter expertise and access to tooling.
• According to ANY.RUN’s quarterly report, the RedLine infostealer was the most analyzed malware on its platform during Q1 2023.
• CybelAngel released the 2023 State of the External Attack Surface: Annual Threat Trends Analysis Report. It examines internet-facing exposures detected by CybelAngel’s Xtended External Attack Surface Management platform in 2022. The report also highlights the critical paths hackers will take to get to their target, as well as trends in cybercrime, key areas of data risk, and a breakdown of exposures by industry.
• Deep watch announced the release of its 2023 Annual Threat Report created by the Deepwatch Adversary Tactics and Intelligence team. Ransomware operators have been increasingly launching frequent attacks, demanding higher ransoms, and publicly exposing victims, leading to the emergence of an ecosystem that involves access brokers, ransomware service providers, insurance providers, and ransom negotiators, according to report.
• GuidePoint Security team has released the GuidePoint Research and Intelligence Team’s (GRIT) Q1 2023 Ransomware Report. Within it, GREAT tracked 849 publicly posted ransomware victims claimed by 29 different thread groups in Q1 2023, which is a 25% increase compared to Q4 2022.
• Cybersecurity firm eSentire says it discovered a way to prevent the Foot Loader malware from deploying its payload via hacked websites. Security researchers say that by carefully placing web requests to the more than 375,000 malicious URLs known to serve GootLoader, they can protect “a large swath of the Internet” from getting infected.
• Ad fraud security company Human has published its yearly report, and the company noted that bad bot traffic doubled last year while legitimate human-generated traffic decreased. The company says that most of the bad bot traffic it usually sees comes from behind faked devices and proxy servers.
• The United Nations Security Council has published its yearly report on North Korea, and this year’s report notes a significant increase in North Korean cyber activity, with DPRK groups stealing more cryptocurrency in 2022 “than in any previous year.” The report also covers North Korea’s 2022 cyber-espionage operations as well.
• Kaspersky researchers have identified a new APT group named Tomyris that has been targeting CIS countries in Central Asia since 2021. Experts says that current evidence suggests Tomiris focused exclusively on espionage and the theft of internal documents.

Major Cyber Incidents

• Americold, a leading cold storage and logistics company, has been facing IT issues since its network was breached. The company said it contained the attack and is now investigating the incident that also affected operations per customer and employee reports.
• Yellow Pages Group, a Canadian directory publisher has confirmed that it has been hit by a cyber attack. Black Basta ransomware and extortion gang claims responsibility for the attack and has posted sensitive documents.
• Software supply chain attack that led to 3CX breach has also impacted at least several critical infrastructure organizations in the United States and Europe, according to Symantec’s Threat Hunter Team.
• The American Bar Association has suffered a data breach after hackers compromised its network and gained access to older credentials for 1,466,000 members.
• ICICI Bank leaked millions of records with sensitive data, including financial information and personal documents of the bank’s clients.
• Leading US software and payment platform provider NCR has confirmed that it has fallen victim to a ransomware attack. NCR specializes in providing technology and payment systems for the restaurant and hospitality sectors.
• Hackers published a trove of data stolen from U.S. network infrastructure giant CommScope, including thousands of employees’ Social Security numbers and bank account details.