Cybersecurity Digest #77: 13/06/2023 – 27/06/2023

Cybersecurity news

• Millions of GitHub repositories may be vulnerable to dependency repository hijacking, also known as “RepoJacking,” which could help attackers deploy supply chain attacks impacting a large number of users.
• A variant of the Mirai botnet is targeting almost two dozen vulnerabilities aiming to take control of D-Link, Arris, Zyxel, TP-Link, Tenda, Netgear, and MediaTek devices to use them for distributed denial-of-service attacks.
• A new malware called Condi has been observed exploiting a security vulnerability in TP-Link Archer AX21 Wi-Fi routers to rope the devices into a distributed denial-of-service botnet.
• CyberCX’s cyber security experts have recently unveiled a way to consistently bypass the security of older Lenovo Laptops with BIOS locked, raising severe security issues among users.
• Microsoft attributed a string of service outages aimed at Azure, Outlook, and OneDrive earlier this month to an uncategorized cluster it tracks under the name Storm-1359.
• Microsoft’s June 2023 Patch Tuesday, with security updates for 78 flaws, including 38 remote code execution vulnerabilities. While thirty-eight RCE bugs were fixed, Microsoft only listed six flaws as ‘Critical,’ including denial of service attacks, remote code execution, and privilege elevation.

Cybersecurity Blog Posts

• BOHOPS researchers examined the methods of process injection, which allow bypassing protection and elevating privileges, and also described ways to detect them.
• Patrick Mayo described a method for gaining access to an AWS Control Tower Management account, and also told how detection tools can be configured, what preventive changes can be made to strengthen protection, and what fixes can be implemented to restrict access to an identity that can use this method of attack.
• CyberArk specialists Jed Knopf and Sharon Abarbanel emphasized the importance of protecting credentials used in the organization’s PAM automation scenarios, and also gave their recommendations for ensuring their security.
• Tom Felton shared his opinion that Red teaming can become a fundamental truth for information security directors and managers.

Research and analytics

• A honeypot experiment that ran for more than four months has found that MSSQL databases are far more targeted by threat actors than other DB systems like MySQL, Redis, or MongoDB. Trustwave says it recorded a giant disproportion in the number of attacks, with more than 93% targeting MSSQL servers, while other systems like Oracle, DB2, Cassandra, or Couchbase seeing little to no action.
• The operators of the LockBit ransomware are believed to have made more than $91 million in ransom payments from more than 1,700 attacks targeting US organizations, according to CISA and the FBI.
• GAO has published a report on the cybersecurity posture of tools used by the National Nuclear Security Administration (NNSA) to produce nuclear weapon components and in nuclear weapons themselves.
• Proofpoint has published its annual Human Factor report. The report analyzes recent techniques used by threat actors that combine technology and psychology to go after their targets. The report looks at TOAD attacks, new phishing techniques that bypass MFA, and recent social engineering techniques adopted by the likes of Emotet and SocGolish.
• Asset note researchers have published a two-part series on the MOVE it vulnerability (CVE-2023-34362) exploited by the Clop gang.
• A team of security researchers Hack computer  has identified vulnerabilities in the Extensible Provisioning Protocol that could be used to hijack top-level domains. The protocol allows domain registrar to communicate with each other and exchange information about their customers’ domain name updates and new domain registrations.
• Infoblox has published a deep dive analysis of various forms of lookalike attacks (homographs, soundsquatting, typosquatting, combosquatting, etc.).
• Kaspersky has a deep dive into a campaign delivering the Double Finger malware loader that then deploys GreetingGhoul, a malware designed to collect credentials linked to cryptocurrency wallet apps.
• Sygnia has the lo-down on a BEC campaign «adversary-in-the-middle» that has used Aim phishing techniques to target and breach dozens of companies across the world.

Major Cyber Incidents

• PBI Research Services has suffered a data breach with clients disclosing that the data for 4.75 million people was stolen in the recent MOVEit Transfer data-theft attacks.
• Car mount and mobile accessory maker iOttie warns that its site was compromised for almost two months to steal online shoppers’ credit cards and personal information.
• Vancouver Transit Police confirm MOVEit breaches have come forward to confirm that their data was accessed through the exploitation of vulnerabilities in the MOVEit file transfer tool – a tactic cybercriminals have used in several high-profile incidents over the last three weeks.
• The European Investment Bank, a public financial and credit institution of the European Union, has fallen victim to an ongoing Distributed Denial of Service attack orchestrated by hacker groups Anonymous Sudan and Killnet.
• Hackers are threatening to release confidential data stolen from Reddit unless the company pays a ransom demand – and reverses its controversial API price hikes. The BlackCat ransomware gang, claims to have stolen 80 GB of compressed data from Reddit during a February breach of the company’s systems.
• The National Securities Commission of Argentina has become a victim of hackers who demand a ransom of $ 500 000, threatening to leak 1.5 TB of documents and CNV databases.