Cybersecurity Digest #59: 19/09/2022 – 03/10/2022

Cybersecurity news

• The Cybersecurity and Infrastructure Security Agency has added three more security flaws to its list of bugs exploited in attacks, including a Bitbucket Server RCE and two Microsoft Exchange zero-days. CISA’s Known Exploited Vulnerabilities catalog now includes two Microsoft Exchange zero-days (CVE-2022-41040 and CVE-2022-41082) exploited in limited, targeted attacks, according to Microsoft.
• A new phishing campaign targets US and New Zealand job seekers with malicious documents installing Cobalt Strike beacons for remote access to victims’ devices. The attack is modularized and multi-staged, with most steps relying on executing obfuscated scripts from the host’s memory and abusing the Bitbucket code hosting service to evade detection.
• Hackers have found a new method to establish persistence on VMware ESXi hypervisors to control vCenter servers and virtual machines for Windows and Linux while avoiding detection. With the help of malicious vSphere Installation Bundles, the attacker was able to install on the bare-metal hypervisor two backdoors that researchers have named VirtualPita and VirtualPie.
• Hackers have started using a new code execution technique that relies on mouse movement in Microsoft PowerPoint presentations to trigger a malicious PowerShell script. No macro is necessary for the malicious code to execute and download the payload, for a more insidious attack.
• SentinelLabs researchers provided details of an advanced threat actor called Metador that primarily targets telecommunications, internet service providers, and universities in several countries across the Middle East and Africa. The operators are highly aware of operations security, managing carefully segmented infrastructure per victim while deploying intricate countermeasures in the presence of security solutions.
• A vulnerability in the Python programming language that has been overlooked for 15 years is now back in the spotlight as it likely affects more than 350,000 open-source repositories and can lead to code execution. Disclosed in 2007 and tagged as CVE-2007-4559, the security issue never received a patch, the only mitigation provided being a documentation update warning developers about the risk.
• At least four agencies within the United States Department of Defense, including the Army and Navy, have collectively spent at least $3.5 million on a little-known data monitoring tool with the reported ability to provide access to vast swaths of email data and web browsing activity.

Cybersecurity Blog Posts

• Numen Cyber Labs experts have released a detailed review and analysis of the use of documented Chrome vulnerabilities in an article from Leaking TheHole to Chrome Renderer RCE.
• Leon Juranic, Security Research Team Lead at Mend has published an article in which he described everything need to know about the Evil-Colon attack, which is relevant mainly for Windows servers. The implementation of the attack resembles the currently unused zero-byte attacks – Poison-NULL-Byte attacks.
• Author Anton Chuvakin dedicated the post to trust and transparency in detection. In his opinion, the era of opaque detection has come again, and workers are beginning to pay much more attention to the ability to understand how the detection machine made a decision, instead of just looking at the result. The author explained two principles – interpretability and explainability – and how to choose a suitable detection model.

Research and analytics

• Approximately 90% of companies said they were impacted by ransomware in 2022, and 78% said they were hit at least twice, SpyCloud’s report indicated. Companies affected in each size category varied, with a range of 82% for enterprises with more than 25,000 employees and 92% for organizations with 1,000 to 4,999 employees.
• The APWG’s Phishing Activity Trends Report reveals that in the second quarter of 2022, the APWG observed 1,097,811 total phishing attacks — the worst quarter for phishing that APWG has ever observed. The number of phishing attacks reported has quadrupled since early 2020 — when APWG was observing between 68,000 and 94,000 attacks per month.
• Infobox has announced the results of the 20/20 Visibility Clarifies Network Security study, which showed that IT executives around the world are striving for greater network visibility. The findings underscore a convergence in security with networking, which IT decisionmakers now view as the missing strategy that will improve security response, automate compliance tasks, and better manage processes and outcomes.
• Researchers from Symantec, Cyderes and Stairwell have recently analyzed a new version of the Exmatter data exfiltration tool and have spotted a new capability: data corruption.
• Anaconda Inc., provider of the world’s most popular data science platform, released its annual 2022 State of Data Science report, revealing the widespread trends, opportunities, and perceived blockers facing the data science, machine learning (ML), and artificial intelligence (AI) industries. The global study targeted the open-source community through three cohorts of academics, industry professionals, and students.
• Gurucul, the leader in Next-Gen SIEM, XDR, SENSE and Identity Access Analytics, today announced the results of a Black Hat USA 2022 security professionals survey. Respondents indicated that Insider Threats were the most difficult type of attack for SOC analysts to detect, and that Behavioral Analytics was the most common piece of technology they felt was missing and that they planned to add to the SOC in the near future.
• The Perception Point team has published a report on a phishing campaign in which an attacker forces users to play a malicious video that leads to account theft. The chain of attacks begins with an email containing an invoice from the British email security company Egress.
• According to the Dynatrace 2022 Global CIO Report, 71% of CIOs say the explosion of data produced by cloud-native technology stacks is beyond human ability to manage. Over three quarters (77%) of CIOs say their IT environment changes once every minute or less. CIOs say their teams use an average of 10 monitoring tools across their technology stacks, but they have observability across just 9% of their environment. 59% of CIOs say without a more automated approach to IT operations, their teams could soon become overloaded by the increasing complexity of their technology stack. 64% of CIOs say it has become harder to attract and retain enough skilled IT ops and DevOps professionals to manage and maintain their cloud-native stack.

Major Cyber Incidents

• The BlackCat ransomware gang claims to have breached the IT firm NJVC, which supports the federal government and the United States Department of Defense. The company supports intelligence, defense, and geospatial organizations. The company has more than 1,200 employees in locations worldwide.
• A hacker group called Guacamaya stole classified government information from multiple military and government agencies across several Latin American countries. Among the data stolen by a group of hackers called Guacamaya there was a huge trove of emails from Mexico’s Defense Department, which shed the light on the poor resilience of the country’s infrastructure to cyberattacks due to poor investment and awareness.
• The Shangri-La hotel group disclosed a data breach, threat actors had access to a database containing the personal information of customers at eight of its Asian properties between May and July.
• TAP admits to hackers leaking customer data. The personal data of TAP customers released by the cybercriminal group Ragnar Locker, which attacked the airline in August, range from name, address, e-mail, date of birth to date of registration and passenger number.
• FBI and CISA said that one of the Iranian threat groups behind the destructive attack on the Albanian government’s network in July lurked inside its systems for roughly 14 months.
• England-based cryptocurrency market maker Wintermute announced becoming the target of a cyberattack and hackers stole $160 million from its DeFi operation. The company confirmed that the hack was restricted to its DeFi operations, and OTC, lending, and Cefi services remained unaffected.