Cybersecurity Digest #57: 22/08/2022 – 02/09/2022

Cybersecurity news

• A new and upgraded version of the SharkBot malware has returned to Google’s Play Store, targeting banking logins of Android users through apps that have tens of thousands of installations. The malware was present in two Android apps that did not feature any malicious code when submitted to Google’s automatic review.
• The source code of a remote access trojan dubbed ‘CodeRAT’ has been leaked on GitHub after malware analysts confronted the developer about attacks that used the tool. The malicious operation, which appears to originate from Iran, targeted Farsi-speaking software developers with a Word document that included a Microsoft Dynamic Data Exchange exploit.
• Threat analysts have spotted a new malware campaign dubbed ‘GO#WEBBFUSCATOR’ that relies on phishing emails, malicious documents, and space images from the James Webb telescope to spread malware.
• Galois, a firm specialized in the research and development of new technologies, has open sourced a suite of tools for identifying vulnerabilities in C and C++ code. Dubbed MATE, the tools are the result of a collaborative effort supported by the United States Air Force and Defense Advanced Research Project Agency (DARPA).
• Atlassian has rolled out fixes for a critical security flaw in Bitbucket Server and Data Center that could lead to the execution of malicious code on vulnerable installations. Tracked as CVE-2022-36804 (CVSS score: 9.9), the issue has been characterized as a command injection vulnerability in multiple endpoints that could be exploited via specially crafted HTTP requests.
• The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has warned that threat actors are actively exploiting a vulnerability that affects Palo Alto Networks PAN-OS. The vulnerability, which is tracked as CVE-2022-0028, has a severity score of 8.6. The vulnerability is due to incorrect configuration of URL filtering policies, which could allow an unauthenticated remote attacker to conduct reflected and amplified TCP Denial-of-Service DoS attacks.

Cybersecurity Blog Posts

• Freedom to Tinker has published an article about why modern computers are vulnerable and how this is related to the complexity of their architecture. The author considers the idea of “cheap complexity” – the production of cheap complex general-purpose processors instead of simple devices for specific applications, which are more reliable, but many times more expensive.
• Susan Bradley shared examples of cases in which the application of the latest best practices of information security does not meet the established requirements of the organization. And since it is mandatory in almost all large firms, the author calls for the reasonable introduction of new requirements and technologies.
• Every stakeholder, from the CISO to even the red team, wants the blue team to succeed against simulated cyberattacks. Sticking to this advice will help make that happen. Chris Hughes described 6 best practices for blue team success.

Research and analytics

• Radware released a report revealing that the number of malicious DDoS attacks climbed by 203% compared to the first six months of 2021. There were 60% more malicious DDoS events during the first six months of 2022 than during the entire year of 2021.
• According to recent research by the Institute of Computing Technology, Chinese Academy of Sciences, they account for around 13.5% of all DNS queries in China, with two in every three AAAA queries failing.
• Vulnerability disclosures impacting IoT devices increased by 57% in the first half (1H) of 2022 compared to the previous six months, according to a research by Claroty. The report also found that over the same time period, vendor self-disclosures increased by 69%, becoming more prolific reporters than independent research outfits for the first time.
• A new Palo Alto Networks Unit 42 report reveals a sharp increase in phishing attacks that abuse software-as-a service platforms, like website builders and form builders. From June 2021 to June 2022, attacks have increased 1,100%. These phishing attacks sometimes impersonate legitimate sites to steal login credentials.
• According to the Trend Micro report, the operators of the new Agenda ransomware have chosen Windows computers as their main target. Armed with Agenda, hackers attack organizations in the field of education and healthcare. The amount of the required ransom varies from $50,000 to $800,000.
• Researchers from Lookout have released an interesting report, according to which a number of organizations in Kazakhstan, Syria and Italy used enterprise-level spyware for Android to infiltrate users’ mobile devices. The spy was named “Hermit“, presumably the Italian vendor RCS Lab S.p.A., specializing in surveillance, as well as the telecommunications company Tykelab Srl, is behind its creation.
• In 2022, the average cost of a data breach has reached a record high of US$4.35 million, according to the 2022 cost of a data breach report by IBM and the Ponemon institute. The top three industries affected by the costs of data breaches listed in this report are, healthcare, financial, and pharmaceuticals.
• Group-IB specialists have published a detailed report on the 0ktapus campaign. Experts reported that recent phishing attacks on Twilio and Cloudflare employees turned out to be part of this large-scale campaign, as a result of which 9931 accounts in more than 130 companies were compromised.

Major Cyber Incidents

• The Internal Revenue Service has accidentally leaked confidential information for approximately 120,000 taxpayers who filed a form 990-T as part of their tax returns. IRS Form 990T is used to report ‘unrelated business income’ paid to a tax-exempt entity, such as nonprofits (charities) or IRA and SEP retirement accounts.
• The BlackCat/ALPHV ransomware gang claimed responsibility for an attack that hit the systems of Italy’s energy agency Gestore dei Servizi Energetici SpA. GSE is a publicly-owned company that promotes and supports renewable energy sources across Italy.
• Sephora USA Inc has agreed to pay $1.2 million to resolve claims by California Attorney General Rob Bonta that the beauty retailer violated the state’s consumer privacy law. Sephora allegedly failed to tell consumers the company sold personal data collected on its website and did not process requests to opt out of sales through privacy controls set by users.
• One of the world’s biggest password managers with 25 million users, LastPass, has confirmed that it has been hacked. In an advisory published on August 25, Karim Toubba, the LastPass CEO, said that an unauthorized party had stolen “portions of source code and some proprietary LastPass technical information.”
• A hospital southeast of Paris has been targeted by a cyber attack, causing disruption to its services. Nurses are having to file data by hand. The hackers have demanded a $10 million ransom to unblock the system.
• The LockBit ransomware operation’s data leak sites have been shut down over due to a DDoS attack telling them to remove Entrust’s allegedly stolen data. Digital security giant Entrust confirmed a cyberattack disclosing that threat actors had stolen data from its network during an intrusion.