Cybersecurity Digest #80: 08/08/2023 – 23/08/2023

Cybersecurity news

• Ivanti warned customers that a critical Sentry API authentication bypass vulnerability is being exploited in the wild. Discovered and reported by researchers at cybersecurity company mnemonic, the critical vulnerability (CVE-2023-38035) enables unauthenticated attackers to gain access to sensitive admin portal configuration APIs exposed over port 8443, used by MobileIron Configuration Service (MICS).
• Researchers from Italy and the UK have discovered four vulnerabilities in the TP-Link Tapo L530E smart bulb and TP-Link’s Tapo app, which could allow attackers to steal their target’s WiFi password.
• An ongoing phishing campaign has been underway since at least April 2023 that attempts to steal credentials for Zimbra Collaboration email servers worldwide. Phishing emails are sent to organizations worldwide, with no specific focus on certain organizations or sectors. The threat actor behind this operation remains unknown at this time.
• The threat actors behind the Monti ransomware have resurfaced after a two-month break with a new Linux version of the encryptor in its attacks targeting government and legal sectors. A BinDiff analysis has revealed that while the older iterations had a 99% similarity rate with Conti, the latest version has only a 29% similarity rate, suggesting an overhaul.
• Google has started deploying a hybrid key encapsulation mechanism (KEM) to protect the sharing of symmetric encryption secrets during the establishment of secure TLS network connections.
• Millions of PLC (programmable logic controllers) used in industrial environments worldwide are at risk to 15 vulnerabilities in the CODESYS V3 software development kit, allowing remote code execution (RCE) and denial of service (DoS) attacks.

Cybersecurity Blog Posts

• Xavier Bellekens, CEO of Lupovis, explains how the implementation of deception-as-a-service offers an extra layer of defense, aiding both the CISO and their team with early warning indicators of potential breaches.
• Kevin Paige, CISO at Uptycs, provides insights into how he navigates the complex cybersecurity landscape, striking a balance between technical expertise, effective communication, risk management, and adaptive leadership.
• Mark O’Neill, CTO at BlackDice Cyber, talks about collaboration, transparent policies, and a security-first mindset. As 5G and IoT emerge, robust measures and AI will navigate challenges and shape the telecom industry’s future.
• Marcin Wiązowski describes in detail CVE-2023-21822 – a Use-After-Free (UAF) in win32kfull that could lead to a privilege escalation. The bug was reported through the ZDI program and later patched by Microsoft. Marcin has graciously provided this detailed write-up of the vulnerability, examines how it could be exploited, and a look at the patch Microsoft released to address the bug.

Research and analytics

• Agio published its 2023 Hedge Fund Cybersecurity Trends Report, in which the majority of firms reported a spike in cyberattack frequency and severity during the last year. 77% of firms reported cyber attack frequency increased during the last 12 months, and 87% said attacks were more severe.
• OPSWAT  published the results of its Threat Intelligence Survey. The comprehensive survey included insights from over 300 IT professionals responsible for malware detection, analysis, and response within their organizations. 62% of organizations recognize the need for additional investments in tools and processes to enhance their threat intelligence capabilities. Only 22% have fully matured threat intelligence programs in place, with most indicating that they are only in the early stages or need to make additional investments in tools and processes.
• According to a report published by Analyst 1’s John DiMaggio, the Lockbit gang is having problems publishing and leaking victim data on its dark web leak site. The gang has run out of server storage, DiMaggio says. It often claims that a victim’s files have been published, but the files can’t be downloaded.
• Dutch security firm Fox-IT says that of more than 31,000 Citrix NetScaler ACD devices that were exposed online last month, almost 1,900 devices are showing signs they’ve been hacked and backdoored by threat actors using the CVE-2023-3519 vulnerability.
• The results of the Insights Student Experience Survey showed that university leaders are paying more and more attention to improving both physical and network security. The study showed that approximately 50% of college leaders in the United States plan to increase investments in information security over the next two years.
• Phone fraud on a country-by-country basis reached new heights in Q2, according to the Q2 2023 Global Call Threat Report published by Hiya. Some scams monitored by Hiya took a “shotgun” approach, blasting thousands of robocalls aimed at unsuspecting Amazon users, while others were narrowly targeted at immigrants or the elderly.

Major Cyber Incidents

• A previously unidentified APT hacking group named ‘Carderbee’ was observed attacking organizations in Hong Kong and other regions in Asia, using legitimate software to infect targets’ computers with the PlugX malware.
• The BlackCat/ALPHV ransomware gang has added Seiko to its extortion site, claiming responsibility for a cyberattack disclosed by the Japanese firm earlier this month.
• Researchers have uncovered a massive campaign that delivered proxy server apps to at least 400,000 Windows systems. The devices act as residential exit nodes without users’ consent and a company is charging for the proxy traffic running through the machines.
• A threat actor has compromised close to 2,000 thousand Citrix NetScaler servers in a massive campaign exploiting the critical-severity remote code execution tracked as CVE-2023-3519. More than 1,200 servers were backdoored before administrators installed the patch for the vulnerability and continue to be compromised because they have not been checked for signs of successful exploitation.
• LinkedIn is being targeted in a wave of account hacks resulting in many accounts being locked out for security reasons or ultimately hijacked by attackers. Many LinkedIn users have been complaining about the account takeovers or lockouts and an inability to resolve the problems through LinkedIn support.
• The Discord.io custom invite service has temporarily shut down after suffering a data breach exposing the information of 760,000 members.