Cyber Briefing - 2023.03.31

Cyber Briefing - 2023.03.31

Welcome to Cyber Briefing, a short newsletter that informs you about the latest cybersecurity advisories, alerts, incidents and news every weekday.

First time seeing this? Please subscribe.




No alt text provided for this image

🚨 Cyber Alerts


1. New Vulnerabilities Added to CISA Catalog

The Cybersecurity and Infrastructure Security Agency (CISA) has identified 10 new vulnerabilities in its Known Exploited Vulnerabilities Catalog that are currently being actively exploited by threat actors. The list includes Microsoft Internet Explorer memory corruption vulnerabilities, Samba remote code execution vulnerability, and Apple iOS out-of-bounds write vulnerability, among others. While the binding operational directive 22-01 applies only to federal agencies, CISA urges all organizations to prioritize the timely remediation of these vulnerabilities to reduce their exposure to cyberattacks.


2. Malware targets Realtek and Cacti flaws

Fortinet reports a significant increase in malicious activity in 2023, with multiple botnets targeting vulnerable Cacti and Realtek devices. The attacks spread ShellBot and Moobot malware, which exploit the CVE-2021-35394 and CVE-2022-46169 flaws. These botnets aim to enlist exposed network devices in DDoS swarms, making it crucial for device owners to apply security updates and use strong passwords to defend against the malware.


3. AlienFox: Tool for Cloud Credential Harvesting

SentinelLabs has uncovered a new modular toolkit, dubbed AlienFox, which allows threat actors to harvest credentials for multiple cloud service providers. AlienFox targets misconfigured servers running popular web frameworks and cloud-based email platforms, including AWS SES, Google Workspace, Office365, and Zoho. The malware is available for sale on Telegram and is primarily distributed in the form of source code archives, allowing threat actors to customize their malicious code to suit their needs.


4. RedGolf APT group use custom KEYPLUG backdoor

Recorded Future has attributed RedGolf to the use of a custom Windows and Linux backdoor called KEYPLUG. The group has been active for many years and has a history of developing and using a large range of custom malware families. To defend against RedGolf attacks, organizations are recommended to apply patches regularly, monitor access to external facing network devices, track and block identified command-and-control infrastructure, and configure intrusion detection or prevention systems to monitor for malware detections.


5. Super FabriXss vulnerability in Azure

A vulnerability in Azure Service Fabric Explorer (SFX) that could enable unauthenticated remote code execution has been uncovered by Orca Security. Dubbed "Super FabriXss", the flaw is a reflected cross-site scripting (XSS) issue that can execute code and potentially gain control of susceptible systems. The vulnerability was addressed by Microsoft in its March 2023 Patch Tuesday update, but highlights the ongoing need for robust cloud security measures.


6. Vulnerabilities in ProPump's Water Pumping System

The Osprey Pump Controller made by ProPump and Controls has several vulnerabilities that could give hackers full control of the device. The system is used worldwide in various industries, leaving many exposed to potential cyber-attacks. Despite attempts to report the security holes, the vendor has not responded and the vulnerabilities remain unpatched. An attacker could exploit these vulnerabilities without authentication, which means they could remotely hack a system and cause disruption, potentially leading to harm or damage to public health and safety.


7. Unpatched IBM file transfer software attacked

Security experts are warning about the risk posed to users of unpatched IBM-built enterprise file transfer software as ransomware-wielding attackers continue to launch exploit attempts. The IBM Aspera Faspex file-exchange application is a widely adopted enterprise file-exchange application with a reputation for being able to secure and quickly move large files. The flaw is a deserialization vulnerability in the Ruby on Rails code that exists in IBM Aspera Faspex version 4.4.2 running patch level 1 and earlier.


No alt text provided for this image

💥 Cyber Incidents


1. Hacking group tied to Russia/Belarus targets governments

The group, known as TA473, Winter Vivern or UAC-0114, has been using simple yet effective techniques and tools to gain access to multiple government email systems, including those of the US, Europe, India, and private telecommunications firms that support Ukraine. The group's campaigns are customized and include creating payloads that mimic the look and feel of targeted Zimbra portals, which get served up in emails purporting to be relevant benign government resources, to gain access to military, government, and diplomatic organizations across Europe.


2. Misconfigured Microsoft app allowed Bing XSS

A misconfigured Microsoft application allowed attackers to log in and modify Bing.com search results in real-time, as well as inject XSS attacks to potentially breach the accounts of Office 365 users. Wiz Research discovered the security issue and reported it to Microsoft, who confirmed it was fixed on March 28, 2023. The misconfiguration problem affected approximately 25% of multi-tenant apps scanned by Wiz, and Microsoft has introduced security enhancements to prevent similar issues in the future.


3. NCB Management Services reports data breach

National accounts receivable management company NCB Management Services has alerted about 500,000 people that their personal data was compromised in a data breach. NCB's systems were hacked by unauthorized parties on February 1, and the data theft was confirmed on March 8. Exposed personal information included names, addresses, phone numbers, email addresses, birth dates, driver’s license numbers, Social Security numbers, and employment positions, and the stolen financial data included pay amounts, credit card numbers, routing numbers, account numbers and balance, and/or account statuses.


4. Concert Ticket Breach Impacts Students

Several students’ credit and debit card information was breached and varying amounts of money were stolen almost a month after attending a Beach Bunny concert at Cornell University. On Feb. 24, Information Technology at Cornell University released a security alert informing students that Cornell’s ticketing software partner and vendor, AudienceView, experienced a platform breach that affected ticket buyers beginning in February. AudienceView has since taken measures to ensure that stakeholders’ privacy is not compromised in the future, but some students are still losing money because of the breach.


5. LockBit Ransomware Leaked Sheriff's Office data

The Washington County Sheriff's Office in Florida was hit by the LockBit ransomware group, resulting in the theft of employee data and warrants. Despite the attack originating from Russia, the sheriff's office continued to serve its community, and did not pay any ransom due to Florida laws. LockBit remains one of the most active ransomware groups, accounting for over half of all attacks in February 2023.


No alt text provided for this image

📢 Cyber News


1. Microsoft enhances Windows 11 features

Windows 11 Insiders will now be able to test Microsoft's adaptive brightness feature on a wider range of devices with the release of the latest preview build. The content adaptive brightness control (CABC) feature can now be toggled on plugged-in devices including desktops, as well as laptops running on battery power. The feature aims to save battery life and reduce energy consumption by dimming or brightening areas of a screen based on the displayed content.


2. US grants $25M to Costa Rica for cyberattack recovery

The US State Department is providing $25m to Costa Rica to help it recover from a series of ransomware attacks last year, setting a precedent that the Biden administration will send aid to allies when faced with cyberattacks from foreign adversaries. The Costa Rican government believes the attacks were tied to its support for Ukraine. The new funding will help Costa Rica stand up a new security operations centre to detect, prevent and respond to cyberattacks, as well as help strengthen networks across the entire Costa Rican government against future cyber threats.


3. Russian cyberwarfare leak exposes Vulkan

A leak of secret documents from NTC Vulkan, a cybersecurity consultancy in Moscow, has revealed the firm has been helping Russian military and intelligence agencies with their cyber warfare capabilities. The documents, which date from 2016 to 2021, were leaked by an anonymous whistleblower and reveal how Vulkan’s engineers have worked for the FSB, GOU, GRU and SVR, among others. One cyber-attack tool, codenamed Scan-V, has been linked to the notorious Sandworm hacking group. It is not known whether the tools built by Vulkan have been used for real-world attacks.


No alt text provided for this image

Subscribe and Comment.

Copyright © 2023 CyberMaterial. All Rights Reserved.

Follow CyberMaterial on:

LinkedInTwitterRedditInstagramFacebookYoutube, and Medium.


To view or add a comment, sign in

Insights from the community

Others also viewed

Explore topics