Cyber Briefing - 2023.03.02

Cyber Briefing - 2023.03.02

Welcome to Cyber Briefing, a short newsletter that informs you about the latest cybersecurity advisories, alerts, incidents and news every weekday.

First time seeing this? Please subscribe.


No alt text provided for this image

🚨 Cyber Alerts

1. CISA Releases Free Tool to Map Threat Actor Behavior to MITRE ATT&CK Framework

CISA has launched a new tool named Decider to assist cybersecurity professionals in mapping threat actor behavior to the MITRE ATT&CK framework. Decider streamlines the process with guided questions, search, and filter functions, as well as a cart function for exporting results. CISA invites network defenders, analysts, and researchers to use Decider along with its updated Best Practices for MITRE ATT&CK Mapping guide.


2. BlackLotus: The First Malware to Bypass Secure Boot

A new malware called BlackLotus is making headlines as the first publicly known threat capable of bypassing Secure Boot defenses, a powerful defense mechanism against cyber threats. BlackLotus is programmed in Assembly and C, is 80 kilobytes in size, and can run even on fully up-to-date Windows 11 systems. The malware exploits a security flaw, CVE-2022-21894, to bypass UEFI Secure Boot protections and set up persistence, allowing a threat actor to carry out malicious actions on a system without having physical access to it.


3. APT27 Iron Tiger Expands Malware Toolkit to Target Linux Devices

Threat actor Iron Tiger has developed a Linux version of its SysUpdate malware toolkit. The malware includes new features to evade security software and resist reverse engineering. Lucky Mouse has been known to target legitimate apps and uses a variety of malware including SysUpdate, HyperBro, PlugX, and a Linux backdoor called rshell.


4. Massive Cross-Vendor Effort Launched to Patch Serious TPM Vulnerabilities

Researchers at Quarkslab have identified critical security flaws in the Trusted Platform Module (TPM) 2.0 reference library specification, prompting a coordinated cross-vendor effort to identify and patch vulnerable devices. The two vulnerabilities, tracked as CVE-2023-1017 and CVE-2023-1018, allow an authenticated local attacker to overwrite protected data in the TPM firmware and execute code attacks. TPM technology is commonly used in various devices, from enterprise-grade hardware to IoT appliances, raising alarm bells over potential widespread vulnerabilities. CERT coordination center urges users to apply any updates provided by hardware and software manufacturers as soon as possible.


5. Cisco Issues Security Updates for Critical IP Phone Flaw and DoS Vulnerability

Cisco has released security updates for its IP Phone products due to a critical flaw impacting its 6800, 7800, 7900, and 8800 Series products. The vulnerability is rated 9.8 out of 10 on the CVSS scoring system and described as a command injection bug in the web-based management interface arising due to insufficient validation of user-supplied input. Successful exploitation of the bug could allow an unauthenticated, remote attacker to inject arbitrary commands that are executed with the highest privileges on the underlying operating system. Cisco has also patched a high-severity denial-of-service (DoS) vulnerability affecting the same set of devices. Cisco has released Cisco Multiplatform Firmware version 11.3.7SR1 to resolve CVE-2023-20078.


6. Phishing Campaign Targets Trezor Cryptocurrency Wallet Users

A massive phishing campaign targets Trezor hardware cryptocurrency wallet users, pretending to be a data breach notification to steal wallets and assets. The ongoing campaign prompts users to visit a fake website and enter their wallet's recovery seed to secure their device, ultimately stealing the seed. Trezor warns users to beware of phishing messages and states they have not found evidence of a recent data breach. It is crucial to never share wallet recovery seeds or enter them on any sites to prevent threat actors from accessing cryptocurrency assets.


7. Aruba Networks warns of critical security flaws in ArubaOS, impacting Mobility Conductor, Controllers, WLAN and SD-WAN Gateways, with fixes provided

Aruba Networks, a subsidiary of Hewlett Packard Enterprise, has published a security advisory detailing six critical-severity vulnerabilities affecting multiple versions of its proprietary network operating system, ArubaOS. The flaws impact Aruba Mobility Conductor, Controllers, WLAN Gateways, and SD-WAN Gateways and can be exploited by unauthenticated, remote attackers to execute arbitrary code as privileged users on ArubaOS. While fixes have been provided, some EoL versions will remain vulnerable, and there are still 15 high-severity and eight medium-severity vulnerabilities left unaddressed.


No alt text provided for this image

💥 Cyber Incidents

1. Over 700K Users' Personal Data Exposed in Misconfigured Database of Animaker-owned Site

A misconfigured database has exposed personal data belonging to over 700,000 users of getshow.io and animaker.com, both owned by Animker.com. The data leak includes names, email addresses, mobile numbers, and more, but no passwords were found in the leak. The misconfigured server was identified by cybersecurity researcher Anurag Sen using the Shodan search engine.


2. Law firms targeted in 10 cyberattacks with GootLoader and SocGholish malware

Cybersecurity firm eSentire foils 10 attacks aimed at distributing GootLoader and FakeUpdates malware against six different law firms in January and February 2023. The attacks are part of two distinct campaigns, with one aiming to infect law firm employees with GootLoader malware and the other attacking law firm employees and other victims with SocGholish malware. GootLoader, which is used by different groups, has previously distributed malware masquerading as freeware installers and has used legal documents to trick users. The campaign starts with a user searching for specific information in a search engine, before attackers use black SEO technique to display a website compromised by GootLoader operators among the results.


3. Canada Bans TikTok From Government Devices Over Security Concerns

Canada's chief information officer has banned TikTok from mobile devices of government employees due to an "unacceptable level of risk to privacy and security." The popular video-sharing app has over 1 billion active users worldwide and has faced scrutiny in the US and other countries for its alleged ties to the Chinese government. The move is seen as a first step by Prime Minister Justin Trudeau, who has not ruled out further action.


4. Polish Official Accuses Russia of Hacking Tax System Amid Tensions Over Ukraine War

The Polish government claims that Russia was responsible for a cyber attack that blocked users' access to the online tax filing system. Russian government has always denied carrying out any hacking operations against foreign governments. The attack was a distributed denial of service, and there has been no leaking of taxpayer data.


5. WH Smith Hit by Cyber Attack: Employee Data Compromised

WH Smith, a UK-based books-to-stationery retailer, has experienced a cyber attack leading to illegal access to company data, including current and former employee information. The company has launched an investigation into the incident, engaged specialist support services and notified relevant authorities. WH Smith reassures that customer accounts and databases have not been affected and its trading activities are unaffected as well.


No alt text provided for this image

📢 Cyber News

1. European Data Protection Board Raises Privacy Concerns over EU-US Data Privacy Framework

The European Data Protection Board has voiced concerns over the legal framework underpinning commercial trans-Atlantic data flows, as it moves towards formal acceptance by the European Commission. Despite the framework being the outcome of almost two years of negotiations between Brussels and Washington, the European Data Protection Board still has reservations and has requested clarifications on several points. The board has welcomed the data protection framework, but emphasized the absence of key definitions, the broad exemption of publicly available information from framework principles, and the lack of specific rules on automated decision-making and profiling as privacy concerns.


2. US announces new cybersecurity strategy with mandatory infrastructure regulations and 'hack-back' authorization

The US government has unveiled its National Cybersecurity Strategy, which mandates regulations on critical infrastructure vendors and allows a more aggressive "hack-back" approach to tackle foreign adversaries. The strategy seeks to enhance collaboration across five key pillars, including defending critical infrastructure, investing in a resilient future and forging international partnerships. Law enforcement and intelligence agencies will have high-level authorization to hack foreign networks, with private companies considered "full partners".


3. Russian government and state agencies banned from using foreign messengers

Russia has banned the use of many foreign messaging apps in its government and state agencies, citing concerns about leaks of sensitive information to foreign entities. The ban includes popular platforms like Microsoft Teams, Skype, WhatsApp, Snapchat, and Telegram. The move is in line with Russia's cautious approach towards limiting the deployment of foreign software in critical sectors to minimize the chances of sensitive information reaching foreign intelligence, and comes after the country's introduction of incentives promoting the use of domestic software in government and public service organizations.

No alt text provided for this image

Subscribe and Comment.

Copyright © 2023 CyberMaterial. All Rights Reserved.

Follow CyberMaterial on:

LinkedInTwitterRedditInstagramFacebookYoutube, and Medium.

To view or add a comment, sign in

Insights from the community

Others also viewed

Explore topics