Cybersecurity Digest #62: 31/10/2022 – 14/11/2022

Cybersecurity news

• A threat group tracked as ‘Worok’ hides malware within PNG images to infect victims’ machines with information-stealing malware without raising alarms. This has been confirmed by researchers at Avast, who built upon the findings of ESET, the first to spot and report on Worok’s activity.
• Researchers from cybersecurity firm Avanan, uncovered a campaign abusing Microsoft Dynamics 365 customer voice to steal credentials from the victims. The experts reported hundreds of these attacks in the last few weeks. The emails come from the survey feature in Dynamics 365, the senders’ address includes “Forms Pro,” which is the old name of the survey feature.
• The websites of popular business applications from Veeam, SolarWinds, KeePass and PDF Technologies are being spoofed by a threat actor to spread the RomCom remote access trojan, according to researchers at BlackBerry and Palo Alto Networks.
• The U.K.’s National Cyber Security Centre has launched a new program that will continually scan every internet-connected device hosted in the United Kingdom for vulnerabilities to help the government respond to zero-day threats.
• VMware warned of the existence of a public exploit targeting a recently addressed critical remote code execution (RCE) vulnerability in NSX Data Center for vSphere (NSX-V).
• The Irish government has amended its Communications Regulations Bill 2022 with clauses that will allow it to blacklist networking equipment vendors on national security grounds.

Cybersecurity Blog Posts

• Help Net Security has published a video with Matthew Chiodi, Chief Trust Officer of Cerby. He told about the likely hole in your security strategy. This video zeroes in on one of the most important yet often missed areas of zero trust: unmanageable applications, which leading analysts say contribute to a third of all security breaches.
• Joey Stanford, VP of Privacy and Security at Platform.sh told about how the recent critical vulnerability of log4j affected the reputation of open source software – 10% of companies said they refused to use Open-source solutions. Nevertheless, the author is convinced that the development of Open-source is extremely important for the future of IT and calls on organizations to support such projects.
• Brett Raybould EMEA Solutions Architect at Menlo Security in his article explained the principle of using the introduction of malicious patterns in attacks with a high degree of evasion from adaptable threats (HEAT-attacks). He stressed that the use of the template format is especially attractive to attackers because they do not contain traces of malicious URLs or exploit markers and remain unnoticed, for example, during the initial verification of emails.
• Author Dan Goodin spoke about the technology of access keys – keypass, which relate to various schemes for storing authentication information in hardware, and this concept has existed for more than ten years. Microsoft, Apple, Google and a consortium of other companies have united around a single access key standard supported by the FIDO Alliance.

Research and analytics

• BigID company has published the Cloud Data Security Research Report 2022, which showed that 86% of organizations use multiple cloud platforms to store their data – within IaaS, PaaS and SaaS. Only 4% believe that all their cloud data is sufficiently protected: more than a quarter of organizations do not track regulated data, almost a third do not track confidential or internal data, and 45% do not track unclassified data.
• Group-IB experts spoke about the French-speaking group Opera1er, which has existed since 2016. Between 2018 and 2022, these hackers stole at least $11 million from banks and telecommunications service providers in Africa, Asia and Latin America, and the actual damage from these attacks is estimated at $30 million.
• According to a new report by KELA, in the third quarter of this year, hackers sold access to 576 corporate networks around the world. Although the number of offers remained approximately the same as in the previous two quarters, the total cost of access already reaches $ 4,000,000. For comparison: in the second quarter, this figure was $660,000.
• Netwrix has announced the results of the 2022 Cloud Security Report Healthcare for the healthcare sector, which states that 61% of respondents in this industry have been subjected to a cyber attack on their cloud infrastructure over the past 12 months. Phishing was the most common type of attack.
• In the report for the third quarter of 2022, the Coveware company found a turn towards ransomware programs targeting the healthcare sector – it was the second most affected sector after professional services. Coveware experts partially attributed this to the growing spread of Hive ransomware programs that attack healthcare organizations, regardless of their impact on patient care.
• ENISA has published the annual Threat Landscape report for the period from July 2021 to July 2022. According to the report, more than 10 terabytes of data are stolen every month, and ransomware is still considered one of the main threats. Phishing is now defined as the most common initial vector of such attacks.
• Kaspersky Lab researchers have discovered a new SandStrike spyware that is delivered via a malicious VPN application to Android users in the Middle East. Cybercriminals target people who speak Persian and are adherents of the Baha’i religion developed in Iran and parts of the Middle East.

Major Cyber Incidents

• Sobeys, Canada’s second-largest supermarket chain with more than 1,500 locations, has revealed that its grocery stores and pharmacies have been struggling with IT problems. The Black Basta ransomware strain reportedly attacked the linked chains.
• An active extortion scam is targeting website owners and admins worldwide, claiming to have hacked their servers and demanding $2,500 not to leak data. The attackers (self-dubbed Team Montesano) are sending emails with “Your website, databases and emails has been hacked” subjects.
• Maple Leaf Foods has been suffered to a cyberattack. The incident led to failures in the operation of systems and business processes. Now the company’s specialists are working with information security experts to resolve the situation as soon as possible.
• An information security specialist discovered credentials for the internal server of the pharmaceutical giant AstraZeneca on GitHub. According to him, this information was accidentally published by the developer a year ago and gave access to confidential patient data.
• The LockBit ransomware gang has claimed responsibility for a cyberattack against the German multinational automotive group Continental. Hackers also allegedly stole some data from Continental’s systems, and they are threatening to publish it on their data leak site if the company doesn’t give in to their demands.
• File hosting service Dropbox has disclosed that it was the victim of a phishing campaign that allowed unidentified threat actors to gain unauthorized access to 130 of its source code repositories on GitHub.