Cybersecurity Digest #84: 14/11/2023 – 28/11/2023

Cybersecurity News

  • Lumma Stealer, the stealer malware, now features a new anti-sandbox technique that leverages the mathematical principle of trigonometry to evade detection and exfiltrate valuable information from infected hosts.
  • The Tor Project has explained its recent decision to remove multiple network relays that represented a threat to the safety and security of all Tor network users.
  • Google has officially announced plans to gradually eliminate third-party cookies, a key aspect of its Privacy Sandbox initiative.
  • Threat actors are leveraging manipulated search results and bogus Google ads that trick users who are looking to download legitimate software such as WinSCP into installing malware instead.
  • The Federal Communications Commission has revealed new rules to shield consumers from criminals who hijack their phone numbers in SIM swapping attacks and port-out fraud.
  • The WordPress plugin WP Fastest Cache is vulnerable to an SQL injection vulnerability that could allow unauthenticated attackers to read the contents of the site’s database. Currently, more than 600,000 websites still run a vulnerable version of the plugin and are exposed to potential attacks.
  • Intel has addressed the vulnerability in its current desktop, server, mobile and embedded processors, CPUs, including the microarchitectures Alder Lake, Raptor Lake, and Sapphire Rapids.
  • The FBI and the US Cybersecurity and Infrastructure Security Agency have urged companies not to pay ransom to ransomware. Paying ransom after a data breach is against law enforcement guidelines because it encourages cyberattacks and incentivizes the hacking of the same victims’ systems.

Cybersecurity Blog Posts

  • The Help Net Security portal published an article devoted to measures to protect against API leaks. According to Wallarm, 33% (79 out of 239) of the vulnerabilities were associated with authentication, authorization and access control — foundational pillars of API security.
  • Connor Jones talked about Denmark’s worst week in May 2023, when Danish critical infrastructure faced the biggest online attack in the country’s history.  A detailed description of the attack waves showed that 22 companies were hacked in just a few days. Some were forced into island mode, in which they had to disconnect from the Internet and turn off all other non-essential network connections. The attacks were facilitated by Zyxel zero-day vulnerabilities.
  • Zeljka Zorz have addressed the flaws in the vulnerability disclosure process of open-source projects, which could be exploited by attackers to harvest the information needed to launch attacks before patches are made available. The risk arises from “half-day” and “0.75-day” vulnerabilities.
  • Piotr Bazydło has shared the analysis and 0-day vulnerability of SSRF in Microsoft Exchange OWA. The author has informed Microsoft of his intention to publish this vulnerability as a zero-day advisory and has provided an HTTP PoC request in his blog that will be used for filtering and/or monitoring.

Research and Analytics

  • The FBI and CISA have warned of attacks carried out by the Rhysida ransomware group against organizations across multiple industry sectors.
  • Sophos has published its 2023 Active Adversary Report for Security Practitioners, noting a “precipitous decline in dwell time for all attacks.” The researchers state, “In particular, we noted a 44% year-on-year and 72% all-time drop in dwell time for ransomware attacks. These decreases were especially eye-catching with ransomware attacks, the dwell time of which decreased to a median of five days. One of our conclusions is that not only do ransomware attackers know that detection capabilities have improved, necessitating quicker attacks, but many are simply well-practiced.”
  • According to Proofpoint, TA402 Uses Complex IronWind Infection Chains to Target Middle East-Based Government Entities. From July through October 2023, Proofpoint researchers observed TA402 engage in phishing campaigns that delivered a new initial access downloader dubbed IronWind.
  • Reuters’ journalists have published an investigation into the FBI’s struggle to disrupt dangerous casino hacking gang. For more than six months, the FBI has known the identities of at least a dozen members tied to the Scattered Spider, a hacking group responsible for the break-ins at casino operators MGM Resorts International and Caesars Entertainment.
  • Illumio has published a research on cloud security, which has revealed that 47 percent of breaches in the last year at surveyed organizations originated in the cloud.
  • Positive Technologies has released a Cybersecurity threatscape: Q3 2023 report. Cybercriminals started using files with the .pdf extension to bypass email security. At the same time, they are focusing on MFT systems, exploitation of vulnerabilities in MOVEit, Citrix and the WordPress plugin.
  • Royal, a classic ransomware gang that engages in double extortion and simultaneously encrypts and doxxes its victims, is undergoing some changes. The FBI and the CISA have released a joint CSA to disseminate known Royal ransomware IOCs and TTPs identified through FBI threat response activities.
  • In the current digital landscape, the risk of personal and professional data being stolen by nefarious actors looms larger than ever. Trend Micro’s “Your Stolen Data for Sale” report lays bare the stark reality of this threat, with a specific focus on the unequal risks associated with data theft and its subsequent misuse.
  • HP Wolf Security has published a report for the third quarter of 2023. There has been an increase in the usage of the Parallax RAT through malicious Excel add-ins masquerading as scanned invoices. Researchers also point out the following techniques: Process Injection: Process Hollowing, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter.
  • Nuspire’s latest quarterly Cyber Threat Report identified a 68% increase in botnet activity in the third quarter of 2023: Torpig Mebroot led the way, accounting for over 69% of all botnet activities observed in Q3. Meanwhile, NetSupport, Andromeda, and Mirai made a return. Notably, the newly detected TorrentLocker has surpassed FatalRAT, placing it outside the top 5.
  • Checkpoint have issued a research on NTLM theft using third-party tables in Microsoft Access.This feature can be abused by attackers to automatically leak the Windows user’s NTLM tokens to any attacker-controlled server, via any TCP port, such as port 80.
  • Anxonius has published a study which reveals that 74% of IT and security decision makers says their organization’s IT or security budget increased compared to the year prior, and 63% says their organization’s IT or security team headcount increased.
  • HYPR and Yubico study revealed that organizations that employ FIDO-based passwordless authentication technologies are least likely to be victims of phishing attacks, cut authentication times by 75%, and measurably reduced their IT service desk burdens.
  • Microsoft has released an analysis highlighting the “potentially unprecedented challenges” associated with cybersecurity in the upcoming election. Microsoft analysts have suggested that hacker APT groups funded by various states may attempt to interfere in electoral processes not only in the United States, but also in a number of European countries.
  • ReliaQuest has revealed that the number of cybersecurity incidents related to phishing attacks via QR codes (so-called quishing) increased by 50%. Within these attacks, intruders often target personal devices of employees of various organizations, especially those that are not provided with the proper level of corporate security.

Major Cyber Incidents

  • A ransomware attack and resulting outages at direct debit collection company London & Zurich has forced at least one customer to take out a short-term loan as six-figure backlogs continue to cause cash flow mayhem.
  • Healthcare SaaS provider Welltok is warning that a data breach exposed the personal data of nearly 8.5 million patients in the U.S. after a file transfer program used by the company was hacked in a data theft attack.
  • Data stolen on Canadian federal employees in third party hack may go back 24 years.
  • Samsung has disclosed a data breach by threat actors that has affected its online store customers by compromising their personal data.
  • The hacking group SiegedSed released personal data on thousands of employees at the Idaho National Laboratory, the nuclear research lab.
  • Japanese manufacturer Yamaha Motor and the healthcare organization WellLife Network have confirmed cyberattacks after being added to the leak site of a ransomware gang this week.
  • Toyota Financial Services has confirmed that it detected unauthorized access on some of its systems in Europe and Africa after Medusa ransomware claimed an attack on the company. Earlier, the Medusa hacker group announced an attack on the infrastructure of a subsidiary of Toyota Motor Corporation.
  • Concevis, a major Swiss provider of software solutions for the government, financial sector, and industrial and logistics companies in Switzerland, recently faced a ransomware attack. Malefactors stole confidential information from the company, potentially including outdated operational data from the Swiss Federal Administration. Additionally, hackers encrypted all of Concevis’ servers.