Cybersecurity news

• The Cybersecurity and Infrastructure Security Agency has added three more security flaws to its list of bugs exploited in attacks, including a Bitbucket Server RCE and two Microsoft Exchange zero-days. CISA’s Known Exploited Vulnerabilities catalog now includes two Microsoft Exchange zero-days (CVE-2022-41040 and CVE-2022-41082) exploited in limited, targeted attacks, according to Microsoft.
• A new phishing campaign targets US and New Zealand job seekers with malicious documents installing Cobalt Strike beacons for remote access to victims’ devices. The attack is modularized and multi-staged, with most steps relying on executing obfuscated scripts from the host’s memory and abusing the Bitbucket code hosting service to evade detection.
• Hackers have found a new method to establish persistence on VMware ESXi hypervisors to control vCenter servers and virtual machines for Windows and Linux while avoiding detection.

Cybersecurity news

• Extended spellcheck features in Google Chrome and Microsoft Edge web browsers transmit form data, including personally identifiable information and in some cases, passwords, to Google and Microsoft respectively. While this may be a known and intended feature of these web browsers, it does raise concerns about what happens to the data after transmission and how safe the practice might be, particularly when it comes to password fields.
• Romanian cybersecurity firm Bitdefender has released a free decryptor to help LockerGoga ransomware victims recover their files without paying a ransom.

Cybersecurity news

• A new and upgraded version of the SharkBot malware has returned to Google’s Play Store, targeting banking logins of Android users through apps that have tens of thousands of installations. The malware was present in two Android apps that did not feature any malicious code when submitted to Google’s automatic review.
• The source code of a remote access trojan dubbed ‘CodeRAT’ has been leaked on GitHub after malware analysts confronted the developer about attacks that used the tool.

Cybersecurity news

• Kaspersky linked with medium confidence the Maui ransomware operation to the North Korea-backed APT group Andariel, which is considered a division of the Lazarus APT Group. North Korean nation-state actors used Maui ransomware to encrypt servers providing healthcare services, including electronic health records services, diagnostics services, imaging services, and intranet services.
• The young hacker based in Verona, Italy recently uploaded multiple malicious Python packages containing ransomware scripts to the Python Package Index (PyPI), supposedly as an experiment. According to the researchers at Sonatype who spotted the malicious code on PyPI, one of the packages (requesys) was downloaded about 258 times.
• A group of researchers has revealed details of a new vulnerability affecting Intel CPUs that enables attackers to obtain encryption keys and other secret information from the processors.

Cybersecurity news

• The Cybersecurity and Infrastructure Security Agency has added the Zimbra CVE-2022-27824 flaw to its ‘Known Exploited Vulnerabilities Catalog,’ indicating that it is actively exploited in attacks by hackers. This high-severity vulnerability allows an unauthenticated attacker to steal email account credentials in cleartext form from Zimbra Collaboration instances without user interaction.
• Researchers at Trellix have discovered a critical unauthenticated remote code execution vulnerability impacting 29 models of the DrayTek Vigor series of business routers. The attacker does not need credentials or user interaction to exploit the vulnerability, with the default device configuration making the attack viable via the internet and LAN.
• Security researchers have discovered a new vulnerability called ParseThru affecting Golang-based applications that could be abused to gain unauthorized access to cloud-based applications.

Cybersecurity news

• A threat actor is promoting a new version of their free-to-use ‘Redeemer’ ransomware builder on hacker forums, offering unskilled threat actors an easy entry to the world of encryption-backed extortion attacks. The author states that the new 2.0 release was written entirely in C++. It works on Windows Vista, 7,8,10, and 11, featuring multi-threaded performance and a medium AV detection rate.
• A cryptomining gang known as 8220 Gang has been exploiting Linux and cloud app vulnerabilities to grow their botnet to more than 30,000 infected hosts. The group is a low-skilled, financially-motivated actor that infects AWS, Azure, GCP, Alitun, and QCloud hosts after targeting publicly available systems running vulnerable versions of Docker, Redis, Confluence, and Apache.
• Atlassian has patched a critical hardcoded credentials vulnerability in Confluence Server and Data Center that could let remote, unauthenticated attackers log into vulnerable, unpatched servers.

Cybersecurity news

• Security researchers are warning that hackers can abuse online programming learning platforms to remotely launch cyberattacks, steal data, and scan for vulnerable devices, simply by using a web browser.
• A newly discovered Linux malware is being used to stealthily steal information from backdoored Linux systems and infect all running processes on the machine. Dubbed OrBit by Intezer Labs security researchers who first spotted it, this malware hijacks shared libraries to intercept function calls by modifying the LD_PRELOAD environment variable on compromised devices.
• The developer of the AstraLocker ransomware code is reportedly ceasing operations and turning attention to the far simpler art and crime of cryptojacking.

Cybersecurity news

• The extortionate software ech0raix has started attacking vulnerable NAS QNAP network drives again. In order to protect devices from attacks, users are advised to use strong passwords for administrator accounts, enable IP access protection and avoid using default ports 443 and 8080.
• The operators behind BRATA have once again added more capabilities to the Android mobile malware in an attempt to make their attacks against financial apps more stealthy.
• A researcher has created a website that uses your installed Google Chrome extensions to generate a fingerprint of your device that can be used to track you online. It is then possible to track a device across sites using the same fingerprinting method.
• Cisco advises owners of end-of-life Small Business RV routers to upgrade to newer models after disclosing a remote code execution vulnerability that will not be patched.

Approaches to threat data exchange are currently in an active phase of formation and standardization. Today there are a couple of significant standards, namely, MISP and STIX,  and entire assemblage of less significant ones that are less commonly used or considered deprecated,  such as MAEC, IODEF, OpenIOC (Cybox), CAPEC, VERIS and many others. At that, a decent number of community feeds are still distributed in the txt or csv formats, as well as in the form of human-readable analytical summaries, bulletins, and reports.

This article deals with analysis of the generally accepted practices of data exchange about cyber threats, namely, specialized formats and general-purpose standards designed not only for threat intelligence (TI). At that, purely proprietary, rare and “reinvent-the-wheel” formats, as well as thematic blogs, news portals, messenger communities, and other TI sources in human-readable formats are left out of the scope of the present article. Today the focus is on machine-readable formats.

Cybersecurity news

• A newly discovered Linux malware known as Symbiote infects all running processes on compromised systems, steals account credentials, and gives its operators backdoor access.
• Surfshark announced they are shutting down its VPN services in India in response to the new requirements in the country that demand all providers to keep customer logs for 180 days.
• Several US federal agencies today revealed that Chinese-backed threat actors have targeted and compromised major telecommunications companies and network service providers to steal credentials and harvest data.
• A critical Windows zero-day vulnerability, known as Follina and still waiting for an official fix from Microsoft, is now being actively exploited in ongoing phishing attacks to infect recipients with Qbot malware.
• Check Point Research’s cybersecurity experts discovered