Cybersecurity Digest #54: 11/07/2022 – 22/07/2022

Cybersecurity news

  • A threat actor is promoting a new version of their free-to-use ‘Redeemer’ ransomware builder on hacker forums, offering unskilled threat actors an easy entry to the world of encryption-backed extortion attacks. The author states that the new 2.0 release was written entirely in C++. It works on Windows Vista, 7,8,10, and 11, featuring multi-threaded performance and a medium AV detection rate.
  • A cryptomining gang known as 8220 Gang has been exploiting Linux and cloud app vulnerabilities to grow their botnet to more than 30,000 infected hosts. The group is a low-skilled, financially-motivated actor that infects AWS, Azure, GCP, Alitun, and QCloud hosts after targeting publicly available systems running vulnerable versions of Docker, Redis, Confluence, and Apache.
  • Atlassian has patched a critical hardcoded credentials vulnerability in Confluence Server and Data Center that could let remote, unauthenticated attackers log into vulnerable, unpatched servers. The hardcoded password is added after installing the Questions for Confluence app for a user account with the username disabledsystemuser — designed to help admins with the migration of data from the app to the Confluence Cloud.
  • Microsoft sounded the alarm on a threat actor using the H0lyGh0st ransomware in attacks targeting small and midsize businesses worldwide. The hackers, who call themselves H0lyGh0st and are tracked by Microsoft as DEV-0530, have been using ransomware since at least June 2021, and have successfully compromised numerous organizations since September 2021.
  • Specialists from the Israeli Ben-Gurion University have developed a new method for extracting data from computers that are physically isolated from any networks and potentially dangerous peripherals. This time, the experts suggested using Serial Advanced Technology Attachment (SATA) cables, turning them into wireless antennas.
  • Microsoft has released updates to fix at least 86 security vulnerabilities in its Windows operating systems and other software, including a weakness in all supported versions of Windows that Microsoft warns is actively being exploited.
  • A team of security researchers found that several modern Honda car models have a vulnerable rolling code mechanism that allows unlocking the cars or even starting the engine remotely. Called Rolling-PWN, the weakness enables replay attacks where a threat actor intercepts the codes from the keyfob to the car and uses them to unlock or start the vehicle.

Cybersecurity Blog Posts

Research and analytics

  • Experts have discovered a new ransomware program named Lilith, which targets 64-bit versions of Windows. According to a report by Cyble, ransomware operators use Lilith to conduct double-extortion attacks.
  • Microsoft 365 Defender Research Team has released a study where in one campaign, phishers have attacked more than 10,000 organizations, and then used the gained access to the mailboxes of the victims for subsequent BEC attacks. According to the report, hackers used special landing pages for their attacks designed to compromise the Office 365 authentication process, even in cases where the target’s account was protected by multi-factor authentication.
  • According to experts from Resecurity, BlackCat ransomware actors began defining $2,5 million ransom demands, with a possible discount close to half, motivating the victim to resolve the incident as soon as possible. The average time allocated for payment varies between 5-7 days, to give victim some time to purchase BTC or XMR cryptocurrency. In case of difficulties, the victim may engage an “intermediary” for further recovery process.
  • The accelerated digitalization of global oil and gas has made the industry increasingly vulnerable to cyber-attacks. This is stated in the Global Data report: Cybersecurity in the Oil and Gas industry. The Colonial Pipeline attack in May 2021 was a wake-up call that stoked cybersecurity concerns in the oil and gas industry and beyond. According to Global Data analysts, Global cybersecurity revenues are expected to reach $198 billion in 2025, recording a compound annual growth rate (CAGR) of 9.5% between 2020 and 2025. The energy industry will be an important driver of increasing cybersecurity revenues globally. Cybersecurity costs for the oil and gas industry will reach $10 billion by 2025.
  • Researchers at the Citadel have recently developed a DNN that can detect a type of cyberattack known as distributed denial of service (DDoS) DNS amplification, and then used two different algorithms to generate adversarial examples that could trick their DNN. Their findings, published in a paper pre-published on arXiv, further confirm the unreliability of deep learning methods for DNS attack detection and their vulnerability to adversarial attacks.
  • The findings, published in the (ISC)² Cybersecurity Hiring Managers Guide, reveal that more than a third of hiring managers (37%) believe entry- and junior-level cybersecurity  hires are ready to handle assignments independently within six months or less on the job. 67% say it takes entry-level hires up to nine months to be able to work independently.
  • According to a recent survey conducted by enterprise security company, Panaseer, the largest ransomware pay-outs by cyber insurers in the last two years has averaged £3.26 million in the UK and $3.52 million in the US. The survey found that 82% are expecting the rise in premiums to continue, with 74% of insurers agreeing that their inability to accurately understand a customer’s security posture is impacting price increases.
  • Speculative execution attacks continue to be a serious threat to modern processors. A new study by cybersecurity experts has shown that the industry cannot yet competently follow the recommendations of AMD and Intel to protect against such attacks, which creates risks for supply chains.

Major Cyber Incidents

  • Digital security giant Entrust has confirmed that it suffered a cyberattack where threat actors breached their network and stole data from internal systems. Depending on what data was stolen, this attack could impact a large number of critical, and sensitive, organizations who use Entrust for identity management and authentication.
  • Virtual pet website Neopets has suffered a data breach leading to the theft of source code and a database containing the personal information of over 69 million members. A hacker known as ‘TarTarX’ began selling the source code and database for the website for four bitcoins, worth approximately $94,000 at today’s prices.
  • The Knauf Group has announced it has been the target of a cyberattack that has disrupted its business operations, forcing its global IT team to shut down all IT systems to isolate the incident.
  • Payment card details from customers of more than 300 restaurants have been stolen in two web-skimming campaigns targeting three online ordering platforms. Web-skimmers, or Magecart malware, are typically JavaScript code that collects credit card data when online shoppers type it on the checkout page.
  • Roblox has seen user data leaked online after a failed data extortion attack by an unknown cybercriminal. The leak of four gigabytes of documents apparently from the gaming company includes emails and spreadsheets on several games on the platform, as well as personal data of individual users.
  • Game publishing giant Bandai Namco disclosed about a cyberattack which may have resulted in the theft of customers’ personal data. The hackers have breached internal systems for offices in Asian regions, other than Japan.
  • As part of a new phishing campaign with a callback, a hacker impersonated CrowdStrike to warn the recipient that someone had hacked the user’s workstation and a thorough security audit was required.