Cybersecurity Digest #74: 02/05/2023 – 16/05/2023

Cybersecurity news

• A new APT hacking group dubbed Lancefly uses a custom ‘Merdoor’ backdoor malware to target government, aviation, and telecommunication organizations in South and Southeast Asia. Lancefly has been deploying the stealthy Merdoor backdoor in highly targeted attacks since 2018 to establish persistence, execute commands, and perform keylogging on corporate networks.
• The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned of a critical remote code execution (RCE) flaw in the Ruckus Wireless Admin panel actively exploited by a recently discovered DDoS botnet.
• Microsoft’s May 2023 Patch Tuesday, and security updates fix three zero-day vulnerabilities and a total of 38 flaws. Six vulnerabilities are classified as ‘Critical’ as they allow remote code execution, the most severe type of vulnerability.
• Apple released its first batch of publicly available “rapid security” patches, aimed at quickly fixing security vulnerabilities that are under active exploitation or pose significant risks to its customers. The Rapid Security Response updates deliver important security improvements between software updates.
• Apple and Google are teaming up to thwart unwanted tracking through AirTags and similar gadgets. The two companies submitted a proposal to set standards for combatting secret surveillance on Bluetooth devices that were created to help people find lost keys, keep tabs on luggage or to locate other things that have a tendency to be misplaced.
• Cybersecurity researchers have uncovered weaknesses in a software implementation of the Border Gateway Protocol (BGP) that could be weaponized to achieve a denial-of-service (DoS) condition on vulnerable BGP peers.

Cybersecurity Blog Posts

• Assetnote researchers discovered and described the vulnerability of RE pre-authorization in Oracle Opera, a solution for managing hotel real estate, because it should have received a severity rating of 10/10 instead of 7.2/10.
• Kevin Mandia, CEO of Mandiant, gave 7 tips for cyber defense that organizations can take to strengthen their infrastructure and increase the chances of detecting, suppressing or minimizing attacks.
• Ars Technica has published an article about the Juice jacking attack. The danger of this fraudulent scheme is that mobile devices can be compromised when connected to malicious chargers in public places.
• A review by Guardrails researchers explains what DAST is and what benefits it can bring to an organization. The article lists the advantages, limitations of use and differences of this tool from SAST.

Research and analytics

• CybelAngel released the 2023 State of the External Attack Surface: Annual Threat Trends Analysis Report. This report examines internet-facing exposures detected by CybelAngel’s Xtended External Attack Surface Management (EASMX) platform in 2022. The report also highlights the critical paths hackers will take to get to their target, as well as trends in cybercrime, key areas of data risk, and a breakdown of exposures by industry.
• Deep watch announced the release of its 2023 Annual Threat Report created by the Deepwatch Adversary Tactics and Intelligence (ATI) team. Ransomware operators have been increasingly launching frequent attacks, demanding higher ransoms, and publicly exposing victims, leading to the emergence of an ecosystem that involves access brokers, ransomware service providers, insurance providers, and ransom negotiators, according to report.
• The median dwell time of an attacker inside a compromised network went down to 16 days last year, according to M-Trends 2023, a report compiled by Mandiant from data from its frontline incident response teams. The number has gone down from 21 days in 2021 and down from 416 days in 2011, suggesting companies have gotten better at detecting threat actors inside their networks.
• CISA has released a report outlining and describing the various parties and phases of the Software Bill of Materials sharing lifecycle. Seeks to assist users in executing a phase of the SBOM sharing lifecycle, the SBOM Sharing Lifecycle Report helps choose sharing platforms based on resources, effort, subject matter expertise and access to tooling.
• According to ANY.RUN’s quarterly report, the RedLine infostealer was the most analyzed malware on its platform during Q1 2023.
• The United Nations Security Council has published its yearly report on North Korea, and this year’s report notes a significant increase in North Korean cyber activity, with DPRK groups stealing more cryptocurrency in 2022 “than in any previous year.” The report also covers North Korea’s 2022 cyber-espionage operations as well.
• GuidePoint Security has released the GuidePoint Research and Intelligence Team’s (GRIT) Q1 2023 Ransomware Report. Within it, GREAT tracked 849 publicly posted ransomware victims claimed by 29 different thread groups in Q1 2023, which is a 25% increase compared to Q4 2022.
• Cybersecurity firm eSentire says it discovered a way to prevent the Foot Loader malware from deploying its payload via hacked websites. Security researchers say that by carefully placing web requests to the more than 375,000 malicious URLs known to serve GootLoader, they can protect “a large swath of the Internet” from getting infected.

Major Cyber Incidents

• AirBaltic, Latvia’s flag carrier has acknowledged that a ‘technical error’ exposed reservation details of some of its passengers to other airBaltic passengers. Passengers also reported receiving unexpected emails which addressed them by the name of another customer.
• The Philadelphia Inquirer daily newspaper is working on restoring systems impacted by what was described as a cyberattack that hit its network. The attack also disrupted operations, with newspaper circulation halting while Inquirer.com is only slightly affected, with publishing and updating stories being impacted by intermittent delays.
• Discord is notifying users of a data breach that occurred after the account of a third-party support agent was compromised. The security breach exposed the agent’s support ticket queue, which contained user email addresses, messages exchanged with Discord support, and any attachments sent as part of the tickets.
• U.S. tech company and Siemens subsidiary Brightly Software is notifying customers that their personal information and credentials were stolen by attackers who gained access to the database of its SchoolDude online platform.
• Toyota Motor Corporation disclosed a data breach on its cloud environment that exposed the car-location information of 2,150,000 customers for ten years. The data breach resulted from a database misconfiguration that allowed anyone to access its contents without a password.
• Swiss multinational company ABB, a leading electrification and automation technology provider, has suffered a Black Basta ransomware attack, reportedly impacting business operations.