Cybersecurity Digest #65: 12/12/2022 – 26/12/2022

Cybersecurity news

• Security researchers have found a new exploit that allows attackers to remotely execute code through Outlook Web Access, on Microsoft Exchange Server. Crowdstrike said the new exploit method uses two vulnerabilities, and bypasses the URL or link rewrite mitigations for the ProxyNotShell bug that Microsoft provided and which affect on-premises Exchange servers.
• Chinese video surveillance company Hikvision has patched a critical vulnerability in some of its wireless bridge products. The flaw can lead to remote CCTV hacking, according to the researchers who found it.
• Corsair has confirmed that a bug in the firmware of K100 keyboards, and not malware, is behind previously entered text being auto-typed into applications days later. The company’s statement comes after multiple K100 users have reported that their keyboards are typing text on their own at random moments.
• Threat actors have published a malicious Python package on PyPI, named ‘SentinelOne,’ that pretends to be the legitimate SDK client for the trusted American cybersecurity firm but, in reality, steals data from developers. The package offers the expected functionality, which is easily accessing the SentinelOne API from within another project. However, this package has been trojanized to steal sensitive data from compromised developer systems.
• Microsoft flagged a cross-platform botnet that’s primarily designed to launch distributed denial-of-service (DDoS) attacks against private Minecraft servers. Called MCCrash, the botnet is characterized by a unique spreading mechanism that allows it to propagate to Linux-based devices despite originating from malicious software downloads on Windows hosts.
• GitHub will require all users who contribute code on the platform to enable two-factor authentication (2FA) as an additional protection measure on their accounts by the end of 2023. For GitHub users, account takeovers can lead to the introduction of malicious code for supply chain attacks that, depending on the project’s popularity, may have a far-reaching impact.

Cybersecurity Blog Posts

• Unit42 researchers have published an article detailing attacks on Kerberos: Diamond and Sapphire Tickets and possible ways to detect them. The detection is based on Windows log events and network traffic.
• Jeffrey Wheatman, a cyber risk specialist at Black Kite, shared his opinion on what CISO in his organization can do to win the fight against ransomware. The article describes the steps for developing an incident prevention strategy.
• Ramil Khantimirov CEO and co-founder of StormWall spoke about the increase in the number of DDoS attacks in the Asia-Pacific region in recent years. In 2021 the region was in the first place – 46% of DDoS attacks occurred there, in 2022 the region lost the position of the United States, but still remains one of the most at risk.

Research and analytics

• Recorded Future’s Insikt Group conducted a study of malicious command-and-control (C2) infrastructure identified using proactive scanning and collection methods throughout 2022. All data was sourced from the Recorded Future Platform and is current as of September 1, 2022.
• AdaptiveMobile researchers said they are seeing a new trend of using international numbers for the delivery of SMS spam and phishing messages to mobile subscribers in other countries.
• CYFIRMA has published a review of the initial access brokers (IAB) market and the trends and insights they’ve observed this year. Before posting access to the underground forum, initial access brokers use ZoomInfo to compile data on the victim organization, including revenue, the industry it serves, the number of employees, and the type of business. Access to organizations in the United States is more expensive than in other countries. Access to banking domains is more expensive than any other domain.
• ESET experts In report Cybersecurity trends 2023: Securing our hybrid lives offer their reflections on what the continued blurring of boundaries between different spheres of life means for our human and social experience – and especially our cybersecurity and privacy.
• According to a study by Thales, about a third of all Internet users during 2022 became victims of personal data leakage. 82% of users who had their personal information stolen complained of a deterioration in the quality of life after the loss of confidential data.

Major Cyber Incidents

• Comcast Xfinity customers report their accounts being hacked in widespread attacks that bypass two-factor authentication. These compromised accounts are then used to reset passwords for other services, such as the Coinbase and Gemini crypto exchanges.
• Okta, a leading provider of authentication services and Identity and Access Management (IAM) solutions, says that its private GitHub repositories were hacked.
• Restaurant customer management platform SevenRooms has confirmed it suffered a data breach. A threat actor posted data samples on the Breached hacking forum, claiming to have stolen a 427 GB backup database with thousands of files containing information about SevenRooms customers
• Colombian energy company Empresas Públicas de Medellín suffered a BlackCat ransomware attack, disrupting the company’s operations and taking down online services. The company told approximately 4,000 employees to work from home, with IT infrastructure down and the company’s websites no longer available.
• Gemini crypto exchange announced that customers were targeted in phishing campaigns after a threat actor collected their personal information from a third-party vendor. The notification comes after multiple posts on hacker forums offered to sell a database allegedly from Gemini containing phone numbers and email addresses of 5.7 million users.
• A hacker reportedly using a fake email address posed as a chief executive of an American financial institution to gain bureau-approved access to FBI public-private cybersecurity forum InfraGard and is now selling details of its more than 80,000 members.