Cyber Briefing - 2023.05.29
The latest in cybersecurity: Barracuda, Microsoft, Windows 11, Google Cloud, GobRAT, QBot, ABB, Italian Industry Ministry, Emby, BlackByte, OpenAI, Firefox.
Welcome to Cyber Briefing, the newsletter that informs you about the latest cybersecurity advisories, alerts, incidents and news every weekday.
First time seeing this? Please subscribe.
The Cybersecurity and Infrastructure Security Agency (CISA) has identified and added a new vulnerability to its Known Exploited Vulnerabilities Catalog, highlighting the active exploitation of the Barracuda Networks ESG Appliance due to improper input validation. These vulnerabilities are commonly targeted by malicious cyber actors, posing significant risks to federal agencies and other organizations. It is crucial for all entities to prioritize prompt remediation of catalog vulnerabilities to enhance their cybersecurity posture and mitigate potential cyber threats.
Microsoft has unveiled a new feature called "performance mode" in Microsoft Defender that aims to reduce the impact of antivirus scans on developer workflows. This capability is specifically designed for Dev Drives, a new type of storage volume in Windows 11 that offers improved performance and resiliency for developers. With the combination of Dev Drives and performance mode, developers can expect a significant boost of up to 30% in build speed, according to Microsoft's Chief Product Officer for Windows and Devices, Panos Panay. This feature prioritizes security without compromising performance by delaying scans until file operations are completed, providing an optimal balance between productivity and threat protection for developers.
A newly disclosed security flaw in the Google Cloud Platform's Cloud SQL service has the potential to grant unauthorized access to sensitive information. According to Israeli cloud security firm Dig, the vulnerability could have allowed attackers to escalate privileges and gain control over internal data, including secrets, passwords, and customer data. The flaw exploited weaknesses in the security layer associated with SQL Server, enabling the attacker to assume administrative roles and take full control of the database server. Google addressed the issue in April 2023 following responsible disclosure, emphasizing the importance of securing cloud-based platforms to prevent major security incidents.
A new threat looms over Linux routers in Japan as cybercriminals unleash GobRAT, a remote access trojan (RAT) written in Golang. According to a report from JPCERT Coordination Center, the attackers exploit routers with public-facing WEBUIs, leveraging vulnerabilities to infect the routers with GobRAT. Once compromised, the trojan disguises itself as the Apache daemon process, employing various techniques like disabling firewalls and establishing persistence for remote access. This development follows a recent revelation by Lumen Black Lotus Labs about business-grade routers falling prey to HiatusRAT, which targeted victims across Latin America, Europe, and North America.
A dangerous game is afoot as the QBot malware leverages a DLL hijacking vulnerability in Windows 10's WordPad program to infect unsuspecting computers. By utilizing a legitimate program, QBot can bypass security software and execute malicious commands undetected. Ransomware groups such as Black Basta, Egregor, and Prolock have partnered with QBot to gain initial access to corporate networks for extortion campaigns, making this stealthy attack method even more concerning.
Hackers targeted an upstate New York medical specialty practice, Albany ENT & Allergy Services, compromising the personal and protected health information of approximately 224,500 employees and patients. The incident, discovered in March, involved the theft of over 2 terabytes of data, according to the dark web leak site RansomHouse. Although Albany ENT & Allergy did not mention the ransomware attack and data exfiltration in its breach report, it is taking steps to investigate the incident, review security policies, provide additional training, and enhance data and system safeguards.
ABB, the Swiss tech multinational and U.S. government contractor, has acknowledged that its systems were impacted by a ransomware attack. The company revealed that unauthorized actors had accessed certain ABB systems, deployed non-self-propagating ransomware, and exfiltrated data. ABB stated that it would notify affected individuals if their information was compromised, and the investigation is ongoing with the assistance of advisors and law enforcement.
Recommended by LinkedIn
The Italian Industry Ministry's web portal and applications were subjected to a "heavy cyberattack" causing significant disruption, as confirmed by the ministry. Technicians are actively working to address the consequences of the attack, and there is no indication of data theft at this time. The ministry has been coordinating with the National Cybersecurity Agency to minimize the impact on citizens and businesses, although the timeframe for a full recovery remains uncertain.
Emby, a media server platform, took action to remotely shut down user-hosted media server instances that were compromised in a recent cyberattack. The attack targeted Internet-exposed private Emby servers with insecure admin account configurations, exploiting a known vulnerability. Emby detected a malicious plugin installed on the affected servers and shut them down as a precautionary measure. Users are advised to delete the malicious files and review their servers for suspicious activity.
The city of Augusta, Georgia has experienced a cyber "incident," which has now been revealed to be a ransomware attack by the BlackByte gang. The attack disrupted the city's computer systems starting on May 21, and Augusta Mayor Garnett Johnson confirmed that unauthorized access had occurred. The city's Information Technology Department is actively investigating the incident and working to restore full functionality to the affected systems. The ransomware gang has claimed to have stolen 10GB of sensitive data from Augusta and demanded a payment of $50 million, highlighting the escalating threat of ransomware attacks targeting critical infrastructure sectors in the US.
Hackers have recently infiltrated the networks of two colleges, causing disruption during the crucial period of final exams and commencement ceremonies. Chattanooga State Community College in Tennessee had to cancel classes and modify schedules for staff members due to a cyberattack. Mercer University in Georgia announced that hackers stole sensitive information of students, parents, and employees. With the involvement of law enforcement and cybersecurity vendors, both colleges are working to investigate and mitigate the incidents. The attacks on colleges and universities have seen an uptick in recent weeks, highlighting the vulnerability of educational institutions during critical times.
OpenAI CEO Sam Altman's stance on operating within the European Union remains uncertain as he expresses concerns about the forthcoming Artificial Intelligence Act regulation. Altman's comments during his European tour, including a statement that OpenAI may cease operations if unable to comply, raised questions about the company's future in the EU. However, Altman later clarified that OpenAI has no plans to leave and is committed to continuing operations.
Firefox users have been expressing their frustration over intrusive full-screen advertisements promoting Mozilla VPN that appear while they are browsing unrelated pages. These ads disrupt the browser's functionality, rendering the interface inaccessible until they are closed. Some users even reported that the ads caused Firefox to become unresponsive for up to 30 seconds. The aggressive advertising method employed by Mozilla, a company known for valuing user choice and a people-first experience, has drawn criticism from users who find it disruptive and contrary to the company's principles.
A Nevada man is facing charges for his alleged involvement in the CoinDeal investment fraud scheme that defrauded over 10,000 victims of more than $45 million. Bryan Lee, based in Las Vegas, is accused of conspiring with Neil Chandran and others to deceive investors through companies controlled by Chandran. The scheme involved false promises of high returns and misappropriation of funds for personal luxuries, including luxury cars and real estate. Lee now faces multiple charges, including conspiracy, mail fraud, wire fraud, and engaging in monetary transactions with criminally derived property, which could result in substantial prison sentences if convicted.
The Defense Department's latest cyber strategy takes inspiration from real-world experiences, particularly the conflict in Ukraine, and builds upon the "Defend Forward" policy established in 2018. The strategy emphasizes conducting proactive cyber operations to disrupt malicious activity and defends the country by generating insights about cyber threats. It also focuses on supporting allies in enhancing their cyber capacity and investing in the Pentagon's own information networks and systems. The new strategy aims to deter conflicts and ensure success in the digital domain.
Subscribe and Comment.
Copyright © 2023 CyberMaterial. All Rights Reserved.
Follow CyberMaterial on: