Cybersecurity Digest #82: 05/09/2023 – 19/09/2023

Cybersecurity news

• The APT36 hacking group has been observed using at least three Android apps that mimic YouTube to infect devices with their signature remote access trojan (RAT), ‘CapraRAT.’ Once the malware is installed on a victim’s device, it can harvest data, record audio and video, or access sensitive communication information, essentially operating like a spyware tool.
• Apple has released emergency patches for outdated versions of the iPhone and Mac. The update eliminates the CVE-2023-41064 vulnerability and eliminates the possibility of remote hacking of devices for the purpose of subsequent monitoring of users using spyware.
• A new vulnerability disclosed in GitHub could have exposed thousands of repositories at risk of repojacking attacks, new findings show. The flaw could allow an attacker to exploit a race condition within GitHub’s repository creation and username renaming operations.
• A new cyber attack campaign is leveraging the PowerShell script associated with a legitimate red teaming tool to plunder NTLMv2 hashes from compromised Windows systems primarily located in Australia, Poland, and Belgium.
• A critical vulnerability impacting the Cisco BroadWorks Application Delivery Platform and Cisco BroadWorks Xtended Services Platform could allow remote attackers to forge credentials and bypass authentication. The flaw, discovered internally by Cisco security engineers, is tracked as CVE-2023-20238 and rated with a maximum CVSS score of 10.0.
• A new threat to Android devices named android[.]pandora has been identified that compromises the devices when pirated video content is installed or during firmware updates.

Cybersecurity Blog Posts

• The resource whereisk0shl has presented an analysis of the Use-After-Free vulnerability and exploitation in the Windows CNG Key Isolation service, leading to privilege escalation (CVE-2023-36906).
• In his article, author Alexander Wolf discussed the downgrading of authentication to NetNTLMv1 and its subsequent use in attacks. The blog presents two common attack scenarios that often occurred during internal penetration tests: breaking DES encryption and relaying from a vulnerable system to LDAP.
• Adenike Cosgrove shared her thoughts on whether cybercriminals should be “right only once.” The author believes that to combat attacks, it is necessary to enhance the security and culture within organizations to make it more difficult for cybercriminals to succeed at all levels.
• Heather Hinton, CISO of PagerDuty, emphasizes the importance of continuous cybersecurity education in her article and reflects on how to make it effective. The author offers advice such as explaining the “why” behind adhering to security measures, considering technical aspects, and creating accessible training programs.

Research and analytics

• According to the Netwrix survey, 69% of organisations in the education sector suffered a cyberattack within the last 12 months. Phishing and user account compromise were the most common attack paths for these organisations, while phishing and malware topped the list for other verticals. What’s more, 3 out of 4 attacks (75%) in the education sector were associated with a compromised on-premises user or admin account, compared to 48% for other sectors.
• TrustedSec experts conducted research on creating emails using HTML injection. As a result, they concluded that if an email with HTML support contains user-input data, it may be vulnerable to the injection of malicious HTML, potentially allowing an attacker to modify the entire email text and insert malicious links.
• During their research, the Security Joes Incident Response team discovered a set of relatively new CVEs that were released in late March 2023. The chain of vulnerabilities identified during the investigated attack represents a situation where malicious actors potentially could gain the ability for remote code execution and full control over systems running vulnerable versions of the high-performance distributed object storage system MinIO.
• A research report from BlackBerry Global Threat Intelligence, focusing on the analysis of existing cyber threats during the period of March to May 2023, has been published.
• The SSD Secure Disclosure team has provided a description and a Proof of Concept (PoC) for a privilege escalation vulnerability in the Windows “File History” service (CVE-2023-35359). This vulnerability allows, through the use of a malicious manifest, for the service to load an external DLL when launched, potentially granting the DLL elevated privileges. This could be leveraged to create a service that runs with SYSTEM-level privileges.
• In the Fortinet’s company report highlighted multiple instances of vulnerabilities exploitation that were previously discovered in Adobe ColdFusion. It is noted that in July 2023, Adobe released a series of security updates (APSB23-40, APSB23-41, and APSB23-47) following reports of several critical vulnerabilities in its platform.
• ESET researchers have uncovered a new hacking campaign by the Charming Kitten hacker group (also known as Phosphorus, TA453, APT35, APT42), during which 34 organizations in various countries were targeted. The hackers employed previously undisclosed malware called “Sponsor.”

Major Cyber Incidents

• The International Joint Commission, a body that manages water rights along the US-Canada border, has confirmed its IT security was targeted, after a ransomware gang claimed it stole 80GB of data from the organization.
• Software bug-tracking company Rollbar disclosed a data breach after unknown attackers hacked its systems in early August and gained access to customer access tokens. Once inside Rollbar’s systems, the threat actors searched the company’s data for cloud credentials and Bitcoin wallets.
• The European aerospace giant Airbus said that it is investigating a cybersecurity incident following reports that a hacker posted information on 3,200 of the company’s vendors to the dark web.
• The Ragnar Locker ransomware gang claims responsibility for the cyberattack on Mayanei Hayeshua hospital from Israel. Cybercriminals allegedly managed to steal 1TB of data. The criminal gang threatens to leak all that exfiltrated information.
• Investigations have begun into a massive ransomware attack that has affected Sri Lanka’s government cloud system, Lanka Government Cloud (LGC). The attack likely started on August 26, 2023, when a gov[dot]lk domain user said they had received suspicious links over the past few weeks and that someone may have clicked one.
• Dymocks Booksellers is warning customers their personal information was exposed in a data breach after the company’s database was shared on hacking forums.