Cybersecurity Digest #66: 02/01/2023 – 23/01/2023

Cybersecurity news

• Threat actors now use OneNote attachments in phishing emails that infect victims with remote access malware which can be used to install further malware, steal passwords, or even cryptocurrency wallets.
• More than 4,000 public-facing Sophos firewalls remain vulnerable to a critical remote code execution bug disclosed last year and patched months later, according to security researchers. The vulnerability can be exploited to gain control of a device, which can then be commandeered to probe and attack the network or outside targets.
• A series of vulnerabilities affecting industrial routers made by InHand Networks could allow hackers to bypass security systems and gain access to internal operational technology networks from the internet.
• A zero-day vulnerability in FortiOS SSL-VPN that Fortinet addressed last month was exploited by unknown actors in attacks targeting governments and other large organizations. The attacks entailed the exploitation of CVE-2022-42475, a heap-based buffer overflow flaw that could enable an unauthenticated remote attacker to execute arbitrary code via specifically crafted requests.
• To mark the January 2023 Patch Tuesday, Microsoft has released patches for 98 CVE-numbered vulnerabilities, including one exploited in the wild (CVE-2023-21674) and one (CVE-2023-21549) that’s been publicly disclosed. Both allow attackers to elevate privileges on the vulnerable machine.
• Antivirus company Bitdefender has released a decryptor for the MegaCortex ransomware family, making it possible for victims of the once notorious gang to restore their data for free. Using the decryptor is pretty straightforward, as it’s a standalone executable that doesn’t require installation and offers to locate encrypted files on the system automatically.

Cybersecurity Blog Posts

• Riley Ryan, Senior Director of IT Security at Shure, offered his own version of security forecasts for 2023. The tactics of attackers will evolve, defense strategies will evolve with them, and organizations will strive for comprehensive security. In the new year, the author expects more attacks on software supply chains, development of umbrella services, simplification of feedback and reporting.
• What the new year will bring to the information security community was also told by Diana-Lynn Contesti (CISSP-ISSAP, ISSMP, CSSLP, SSCP). In her opinion, a shortage of information security personnel is expected, an increase in the number of attacks, a surge in deepfake phishing and cleaner programs. New data privacy rules and laws will be adopted around the world to protect consumer information.
• Help Net Security has published an article by Jackson Shaw, CSO at Clear Skye, dedicated to 4 trends of 2023 in the field of identity security. Among them, the issues of the growth of the use of cloud technologies and identity-based attacks, consolidation of identity management solution providers and others were considered.
• Zeljka Zorz, Editor-in-Chief at Help Net Security, spoke about the identification of security flaws using the modern fuzzing method. The article describes how researchers found two recently patched vulnerabilities in the MatrixSSL and wolfSSL cryptographic libraries, open source TLS/SSL libraries for embedded environments.

Research and analytics

• The report Web hackers versus the Auto Industry found wide ranging security failings in systems relied on by 16 separate car makers and powering millions of vehicles. The faults include vulnerable single sign on systems and web application flaws that allowed the researchers to control remote vehicle locking and unlocking, start and stop engines and locate vehicles using GPS.
• Conflict and geo-economic tensions have triggered a series of deeply interconnected global threats, according to the latest The Global Risks Report 2023, produced in partnership with Marsh McLennan and Zurich Insurance Group. Cyberattacks against essential technology-enabled resources and services, including agriculture and water, financial institutions, public security, transportation, energy, domestic, space-based, and undersea communication infrastructure, are projected to increase along with an increase in cybercrime.
• Veracode revealed data that could save organizations time and money by helping developers minimize the introduction and accumulation of security flaws in their software. Their report State of Software Security (SoSS) found that flaw build-up over time is such that 32% of applications are found to have flaws at the first scan and by the time they have been in production for five years, 70% contain at least one security flaw.
• CISA has published its year-in-review report for fiscal year 2022. The report primarily deals with the agency’s work on national cybersecurity defense and agency task unification efforts.
• Threat intelligence company KELA has published its yearly report on cybercrime for the past year. Some of the company’s main findings are below. According to report, almost 2,800 victims of ransomware and extortion attacks, victims were listed on 60 different leak sites, and 52% of these new platforms emerged in 2022.
• K7 Security Labs researchers have discovered a campaign by an unknown actor, presumably based in China, who uses Windows Problem Reporting (WerFault.exe) to launch remote administration tools. Hackers abuse WerFault.exe for Windows to load malware into compromised system memory using the DLL side loading method.
• Fortinet has published a report on new families of ransomware programs discovered over the past few weeks. This latest edition of the Ransomware Roundup covers Monti, BlackHunt, and Putin ransomware.
• ThreatFabric researchers have recorded a spike in the detection of the Android Trojan SpyNote (SpyMax) in the last quarter of 2022. This family is a unique spyware designed to secretly monitor user actions on an Android device. The malicious program SpyNote can monitor, manage and modify the resources and functions of the device, as well as remote access capabilities.
• According to the results of the Adastra survey, 77% of IT decision makers in the United States and Canada believe that their companies may face data leakage over the next three years. Since returning to the office creates additional problems with data security, analysts gave 10 tips for minimizing risks.

Major Cyber Incidents

• The FanDuel sportsbook and betting site is warning customers that their names and email addresses were exposed in a January 2023 MailChimp security breach. Using employee’s credentials, the threat actors accessed an internal MailChimp customer support and administration tool to steal the “audience data” for 133 customers.
• Costa Rica’s government has suffered another ransomware attack just months after several ministries were crippled in a wide-ranging attack by hackers using the Conti ransomware.
• T-Mobile US Inc. said a hacker obtained data for 37 million customer accounts, though it didn’t include payment information, passwords or other sensitive personal data. The investigation is still ongoing, the company said, but the culprit appeared to obtain the information through a single entry point serving customer data, and doesn’t appear to have breached the company’s systems or network.
• The Vice Society ransomware gang has claimed responsibility for a November 2022 cyberattack on the University of Duisburg-Essen (UDE) that forced the university to reconstruct its IT infrastructure. The threat actors have also leaked files they claim to have stolen from the university during the network breach, exposing potentially sensitive details about the university’s operations, students, and personnel.
• The Israeli mobile forensics firm, Cellebrite, has suffered yet another data breach in which hackers managed to steal 1.7 TB of data. The hackers are also claiming to have stolen 103 GB of data from MSAB, a Sweden-based forensics firm.
• Norton LifeLock customers have fallen victim to a credential-stuffing attack. Cyberattackers used a third-party list of stolen username and password combinations to attempt to break into Norton accounts, and possibly password managers, the company is warning.