Cybersecurity Digest #81: 22/08/2023 – 05/09/2023

Cybersecurity news

• Proof-of-concept exploit code has been released for a critical SSH authentication bypass vulnerability in VMware’s Aria Operations for Networks analysis tool (formerly known as vRealize Network Insight).
• Researchers took advantage of a weakness in the encryption scheme of Key Group ransomware and developed a decryption tool that lets some victims to recover their files for free.
• A vulnerability in Skype mobile apps can be exploited by attackers to discover a user’s IP address – a piece of information that may endanger individuals whose physical security depends on their general location remaining secret.
• U.S. authorities said an international law enforcement operation had taken down the notorious “Qakbot” malware platform used extensively by cybercriminals in a variety of financial crimes.
• In yet another sign that developers continue to be targets of software supply chain attacks, a number of malicious packages have been discovered on the Rust programming language’s crate registry.
• A threat actor believed to be tied to the FIN8 hacking group exploits the CVE-2023-3519 remote code execution flaw to compromise unpatched Citrix NetScaler systems in domain-wide attacks.

Cybersecurity Blog Posts

• In this Help Net Security interview, Roland Atoui, Managing Director at Red Alert Labs, discusses the intricacies of transitioning from isolated IoT setups to interconnected environments, examining the broadening attack surface and the nuanced complexities this evolution imposes.
• In the ThreatConnect blog, author Toby Bussa published an overview of 7 principles of conducting threat analysis operations of The Dawn of TI Ops and detailed principle No. 4, in which the focus is not only on indicators of compromise, but also on motives, tactics, methods, trends, tools and infrastructure models of threat actors.
• The Help Net Security portal has listed 11 search engines for cybersecurity research that can be used right now.
• Ryne Laster, described 3 types of privileged accounts that need to be protected in the enterprise. In his opinion, since the types of privileged accounts that need to be protected have expanded in scope and scale, the ways in which organizations not only manage privileges, but also comprehensively protect them should also change.

Research and analytics

• Critical Insight Releases H1 2023 Report: Record 40 Million Individuals Exposed in Healthcare Cyber Breaches Despite Overall Decline. Hacking/IT incidents were the primary cause, accounting for 73% of breaches. Hackers have shifted their tactics towards targeting network vulnerabilities. Network server breaches are responsible for a staggering 97% of individual records affected, while only 2% can be attributed to email breaches.
• Security researchers from Shadow Stack RE have reverse-engineered the Linux/ESXi encryptor of Abyss (or Abyss Locker). The Abyss RaaS launched earlier this year, in May.
• The latest research from Mandiant on generative AI reveals threat actors are interested in generative AI, but usage remains limited. Mandiant predicts that generative AI tools will accelerate the integration of AI into both information operations and intrusion activities.
• Statistics from Sophos show that in the first half of the year the hackers’ median dwell time dropped to five days from nine in 2022. The company notes that ransomware attacks accounted for 68.75% of all cyberattacks recorded by Sophos this year. Median dwell time for non-ransomware incidents increased from 11 to 13 days this year. This suggests that while ransomware threat actors move quicker, other cybercriminals carrying out network intrusions “tend to linger” and wait for an opportunity.
• According RecordedFuture in the first half of 2023, ransomware attacks surged, with attackers increasingly relying on exploiting vulnerabilities for rapid compromise. Prominent campaigns targeted organizations using vulnerability exploits, such as the VMware ESXi hypervisor breach. Prominent malware variants in H1 2023 included LockBit, ALPHA, Royal, ESXiArgs, and Pegasus.
• Security firm Trustwave says it saw a noticeable increase in BEC activity at the start of 2023. The company says that half of the BEC lures it saw in the first half of the year were payroll diversion attacks, a tactic where attackers pretend to be employees of the targeted company and try to redirect the payroll to their own bank account. Trustwave says this tactic is extremely efficient because it’s not uncommon for workers to change their bank account information for legitimate reasons.
• Elastic security team analyzes the latest version of the BLISTER loader. New BLISTER update includes keying feature that allows for precise targeting of victim networks and lowers exposure within VM/sandbox environments.

Major Cyber Incidents

• The University of Sydney (USYD) announced that a breach at a third-party service provider exposed personal information of recently applied and enrolled international applicants.
• Network monitoring company LogicMonitor confirmed that some users of its SaaS platform have fallen victim to cyberattacks. The threat actors hacked customer accounts and were able to create local accounts and deploy ransomware.
• AI-powered coding platform Sourcegraph revealed that its website was breached using a site-admin access token accidentally leaked online on July 14th.
• Forever 21 clothing and accessories retailer is sending data breach notifications to more than half a million individuals who had their personal information exposed to network intruders.
• North Korean hackers have uploaded malicious packages to the PyPI repository, camouflaging one of them as a VMware vSphere connector module named vConnector. The packages were uploaded at the beginning of August, with one named VMConnect targeting IT professionals seeking virtualization tools.
• American entertainment giant Paramount Global disclosed a data breach after its systems got hacked and attackers gained access to personally identifiable information.