Cybersecurity Digest #61: 17/10/2022 – 31/10/2022

Cybersecurity news

• The Cranefly hacking group uses a previously unseen technique of controlling malware on infected devices via Microsoft Internet Information Services web server logs. Like any web server, when a remote user accesses a webpage, IIS will log the request to log files that contain the timestamp, source IP addresses, the requested URL, HTTP status codes, and more.
• Threat actors are actively exploiting a now-patched vulnerability, tracked as CVE-2022-22954, in VMware Workspace ONE Access to deliver cryptocurrency miners and ransomware.
• McAfee specialists have removed 16 malicious programs from the Google Play, which were extremely popular among users. The programs have been installed more than 20 million times.
• Police in the Netherlands said they were able to trick the group behind the Deadbolt ransomware to hand over the decryption keys for 155 victims during a police operation.
• New research has disclosed what’s being called a security vulnerability in Microsoft 365 that could be exploited to infer message contents due to the use of a broken cryptographic algorithm.
• CISA has released RedEye, an interactive open-source analytic tool to visualize and report Red Team command and control activities. RedEye, available on GitHub, allows an operator to assess and display complex data, evaluate mitigation strategies, and enable effective decision-making in response to a Red Team assessment.

Cybersecurity Blog Posts

• Anton Chuvakin wrote on the topic of migration to the SIEM cloud and various approaches to storing data from the old SIEM (when switching to the new one). The author suggested options for how to store security log files inexpensively for a long period of time, while maintaining reasonable functionality similar to SIEM.
• Matthew Stephen shared a set of best practices for responding to cloud incidents. The author emphasized the importance of understanding the differences between cloud and on-premises environments, as well as the shared responsibility model, and cited 7 important steps to respond.
• A 22-year–old vulnerability, CVE-2022-35737, was discovered in the SQLite (from 1.0.12 to 3.39.1). The error is a problem of overflow of array boundaries. Author Andreas Kellas described the vulnerability in detail and reported that the bug has existed since October 2000.
• Yossi Appleboum, CEO at Sepio, told about asset risk management challenges for different industries and where it’s heading. In his opinion, the first thing businesses need to do is go back to basics and focus on transparency and understanding risks.

Research and analytics

• CYFIRMA Research team has seen an uptick in threat actor orchestrated cyber campaigns aimed at stealing confidential and sensitive information. Infostealers like “Prynt” are used to exfiltrate information as the first step leading into orchestration of sophisticated attacks which may include deployment of ransomwares.
• In the first half of 2022, the total attack count and average attack size increased by 75.6% compared to the second half of 2021, according to a new Nexusguard study published in the DDoS Statistical Report for 1HY 2022.
• Sonatype, a DevOps security firm, said it had discovered 97,334 malicious libraries in several programming ecosystems in 2022. That number has increased from about 12,000 last year, accounting for almost 633% of incidents during the calendar year, the company said in a report on the state of the software supply chain.
• CloudSphere has published the results of its EOL Management and Risk for IT Assets study, which shows how confident people are about which end-of-life (EOL) applications or those close to EOL pose a significant risk to business.
• The threat intelligence group PAN Unit42 has published a report on Ransom Cartel, a group of data extortionists that appeared in December 2021 and which, according to researchers, may be a cover for the old group of ransomware REvil.
• According to a new Trend Micro report, after a short break, the Black Basta group resumed the spread of the QAKBOT malware. In the detected campaign, attackers distribute QAKBOT via SmokeLoader, Remote and malicious spam, and then deploy the Brute Ratel framework as a second-stage payload.
• Security researchers from SafeBreach Labs have discovered a new PowerShell backdoor that was able to bypass dozens of malware scanners used by VirusTotal. The secrecy of the tool makes its status “completely undetectable”. Researchers believe it was used to detect about 100 victims.
• 96% of open source Java downloads with known cybersecurity vulnerabilities could have been avoided because a better version was available, but it was not used. The annual State of the software supply chain report from Sonatype revealed a massive surge in open source supply, demand, and malicious attacks in addition to outdated open source downloads, which led to exploitation of vulnerabilities.
• According to a study of employees, senior managers and business leaders, as well as information security directors conducted by Encore, half of employees may quit after a cyber attack and only a third said they would stay. At the same time, a significant number of business leaders either cannot be open about their employees, or potentially even hide security gaps.
• CheckPoint’s latest brand phishing report for the third quarter of 2022 shows the brands that criminals most often imitated in their attempts to steal personal information or payment data of individuals in July, August and September. DHL took the first place in the third quarter, accounting for 22% of all phishing attempts worldwide.

Major Cyber Incidents

• Communication services provider Twilio disclosed that it experienced another “brief security incident” in June 2022 perpetrated by the same threat actor behind the August hack that resulted in unauthorized access of customer information.
• German copper producer Aurubis has announced that it suffered a cyberattack that forced it to shut down IT systems to prevent the attack’s spread. Aurubis is Europe’s largest copper producer and the second largest in the world, with 6,900 employees worldwide, and produces one million tonnes of copper cathodes yearly.
• Australian Clinical Labs has disclosed a data breach that impacted its Medlab Pathology business, exposing the medical records and other sensitive information of 223,000 people.
• Australian health insurance firm Medibank disclosed that the personal information of all of its customers had been unauthorizedly accessed following a recent ransomware attack. The firm said the attackers had access to “significant amounts of health claims data” as well as personal data belonging to its ahm health insurance subsidiary and international students.
• Verizon warned an undisclosed number of prepaid customers that attackers gained access to Verizon accounts and used exposed credit card info in SIM swapping attacks.
• Lockbit 3.0 operators claim to have stolen data from Japanese company Oomiya and threaten to leak it, if the company will not pay the ransom. Oomiya is focused on designing and manufacturing microelectronics and facility system equipment.