Cybersecurity Digest #60: 03/10/2022 – 17/10/2022

Cybersecurity news

• Computer security experts in Scotland have developed a system that uses thermal imaging and artificial intelligence to guess computer and smartphone passwords in seconds.
• A phishing-as-a-service platform named ‘Caffeine’ makes it easy for threat actors to launch attacks, featuring an open registration process allowing anyone to jump in and start their own phishing campaigns. Caffeine doesn’t require invites or referrals, nor does it require wannabe threat actors to get approval from an admin on Telegram or a hacking forum. Due to this, it removes much of the friction that characterizes almost all platforms of this kind.
• The Zimbra Collaboration Suite is impacted by a critical remote code execution vulnerability that remains unpatched, despite being exploited in attacks. The issue, tracked as CVE-2022-41352, exists because of the Cpio method that the Zimbra antivirus engine uses when scanning inbound emails. According to Rapid7, an attacker can exploit the vulnerability by emailing a .cpio, .tar, or .rpm file to an affected server.
• Fortinet has warned administrators to update FortiGate firewalls, FortiProxy web proxies, and FortiSwitch Manager on-premise management platforms to the latest versions, which address a critical severity vulnerability. The security flaw (tracked as CVE-2022-40684) is an authentication bypass on the administrative interface that could allow remote threat actors to log into unpatched devices.
• Researchers have recently discovered a malware named Maggie which has been gaining unauthorized backdoor access into several Microsoft SQL servers. John Aydinbas and Alex Wauer recently discovered this malware, German analysts at DSCO CyTec. According to the data collected, the malware has already infected several servers in South Korea, Vietnam, India, China, Thailand, Russia, Germany, and the US.
• Avast has released a decryptor for variants of the MafiaWare666 ransomware known as ‘Jcrypt’, ‘RIP Lmao’, and ‘BrutusptCrypt,’ allowing victims to recover their files for free. The security company says it discovered a flaw in the encryption scheme of the MafiaWare666 strain, allowing some of the variants to be unlocked. However, this may not apply to newer or unknown samples that use a different encryption system.
• Google will pay $85 million to resolve a consumer privacy suit by Arizona claiming the technology giant surreptitiously collects data on users’ whereabouts for targeted advertising.

Cybersecurity Blog Posts

• Snyk experts in their blog told how they discovered a new malicious PyPI library called Raw-Tool, which runs unknown binary files during installation and accesses a suspicious domain.
• Carol Williams has published an article about 6 Steps to Building a Vibrant Performance-Focused Risk Culture. The author argues that the success of any efforts to integrate risks in the strategic decision-making process does not depend on a specific standard or process, but on the culture of the company itself.
• Check Point’s blog published an article about Internet-connected cameras, which today are one of the most preferred ways for hackers to penetrate corporate networks.
• Mary Pratt in the CSO’s blog released an article about how legacy tech impedes zero trust and what to do about it. She believes that Old perimeter-based defenses can throw up roadblocks to implementing a zero-trust strategy, but a measured, phased approach will see you through.

Research and analytics

• The average company with data in the cloud faces $28 million in data-breach risk, according to a new report from Varonis. The Great SaaS Data Exposure examines the challenges CISOs face in protecting data across a growing portfolio of SaaS apps and services such as Microsoft 365, Box, and Okta. One out of every 10 records in the cloud is exposed to all employees — creating an impossibly large internal blast radius, which maximizes damage during a ransomware attack.
• Cequence Security has released a report API Protection Report: Shadow APIs and API Abuse Explode. Roughly 5 billion (31%) of the 16.7 billion malicious requests observed targeted unknown, unmanaged and unprotected APIs, commonly referred to as shadow APIs, spanned a wide range of use cases.
• Secureworks has published a report 2022 State of the Threat: A Year in Review. Among the findings of the report, we can highlight the reduction in the waiting time for ransomware groups to 11 days this year from 22 days last year. The loader landscape is evolving, and there is evidence of close cooperation between groups operating different loaders. There is also a shift to lightweight one-time loaders instead of complex botnets such as TrickBot or Emotet.
• In the Trend Micro report, researchers had discovered a new attacker, Water Labbu, who hacks vulnerable fraudulent sites with cryptocurrencies to replace the scammers’ wallet addresses with their own.
• Red Canary has updated statistics on the main threats that they record from their side in the report Intelligence Insights: September 2022. At the core, all the same basic frameworks are fixed in the list: Cobalt, Mimikatz, Impacket, BloodHoud. From the point of view of malware, the basic techniques are still used: Scheduled Tasks, Signed Binary Proxy Execution, PowerShell, CommandLine, UAC Bypass.
• BitSight released a report in which it published information that they had tracked up to 51,500 systems infected with PseudoManuscrypt malware until its operators changed their management and control infrastructure. Since then, the number of infected systems in the botnet has decreased to about 7,000 per day.

Major Cyber Incidents

• A new version of an unofficial WhatsApp Android application named ‘YoWhatsApp’ has been found stealing access keys for users’ accounts. YoWhatsApp is a fully working messenger app that uses the same permissions as the standard WhatsApp app and is promoted through advertisements on popular Android applications like Snaptube and Vidmate.
• Intel has confirmed that a source code leak for the UEFI BIOS of Alder Lake CPUs is authentic, raising cybersecurity concerns with researchers. On Friday, a Twitter user named ‘freak’ posted links to what was said to be the source code for Intel Alder Lake’s UEFI firmware, which they claim was released by 4chan.
• Toyota Motor Corporation is warning that customers’ personal information may have been exposed. Toyota discovered recently that a portion of the T-Connect site source code was mistakenly published on GitHub and contained an access key to the data server that stored customer email addresses and management numbers.
• Taiwanese chipmaker ADATA denies claims of a RansomHouse cyberattack after the threat actors began posting stolen files on their data leak site. The RansomHouse gang added ADATA files to their data leak site on Tuesday, claiming they stole 1TB worth of documents in a 2022 cyberattack. The threat actors also leaked samples of allegedly stolen files, which appear to belong to the company.
• America’s second-largest nonprofit healthcare org is suffering a security “issue” that has diverted ambulances and shut down electronic records systems at hospitals around the country. The nonprofit, in a very brief notice posted on its website, said it took some systems offline, including “electronic health record (EHR) and other systems.”
• Resecurity, a California-based cybersecurity company has noticed a new group of hacktivists targeting financial institutions in Egypt. They started leaking large volumes of compromised payment data belonging to the customers of major Egyptian banks on the Dark Web. First mention of this activity have been detected in a Telegram channel created to leak Excel files containing 12,229 credit cards.