Cyber Security News Weekly Round-Up (Vulnerabilities, Cyber Attacks, Threats & New Stories)
Threats
DNS and ICMP tunneling are used by GoRed, a tool that ExCobalt, a cyber espionage group, utilizes in its server communication for C2.
With this technique, it becomes possible to keep the threat actors of threat persistent and undetected within spoiled networks.
Some of the characteristics of GoRed are a C2 framework for executing commands, RPC protocol for C2 communication, and DNS or ICMP tunneling.
It also includes credential harvesting, data collection as well as victim network reconnaissance capabilities.
This tool is highly customizable and adaptable which makes it a major threat in the cyber security landscape.
An unshielded web server, which was employed to attack the Taiwanese Freeway Bureau and a local data center, was traced down by the Hunt Research Team.
Shortly after becoming public, the server at IP 103.98.73.189:8080 was deactivated.
It is tools such as Nmap and SQLMap that were used by the threat actors to look for potential vulnerabilities and the BlueShell malware program as their mechanism with which they got access into victim’s computer systems.
To determine the possibility of any threats occurring and minimize them, open directories need to be monitored around the clock.
This incident is an example of the ongoing threat that exists in Taiwan towards government entities and important infrastructures.
QR code phishing attacks are using weaponized Word documents to steal financial data by hackers.
These documents have macros that can execute malicious code upon being opened by users enabling the threat actors to successfully deliver the payloads or gain illicit access to systems.
These attacks frequently masquerade as governmental units like the Ministry of Human Resources in China that ask people to sign on for a false subsidy.
Victims are lured into those fake websites and they enter their personal information and credit card numbers which results in money theft from their accounts.
To prevent such threats, individuals should scan QR codes from reliable sources only and also confirm the URLs’ credibility before proceeding.
A weaponized app is being used by hackers to deliver malware called Cisco Webex Meetings. In this, attackers manipulate users into downloading password-protected archives that are made to look like genuine software.
Once the malware has been installed, it begins stealing information such as credentials and then establishes a constant connection to its command and control server.
This attack uses several techniques such as DLL side-loading, social engineering along with process injection.
The malware further uses security holes in order to get administrative rights on systems and then disables Windows Defender. The campaign is broader, with over 400 similar filenames submitted to VirusTotal since 2024.
ShrinkLocker is another type of ransomware that takes advantage of the Windows BitLocker tool to encrypt local drives and delete recovery options. It shrinks the partitions and also encrypts them using VBScript.
This malicious program collapses the recovery keys, produces a password, and relays the victim’s encryption key to the hacker.
Then it is sent to the attacker’s server along with system-gathered information before removing itself from the computer completely and leaving no means of recovering encoded files for infected users. These attacks have been observed in Indonesia, Jordan, and Mexico.
The latest entrant in the family of Distributed Denial of Service (DDoS) botnets is Zergeca, which exhibits advanced features that differentiate it from others.
Zergeca was detected by the Cyber Threat Insight Analysis (CTIA) system at XLab on May 20, 2024, and has already demonstrated its disruption capabilities.
It is something more than an ordinary DDoS botnet, this botnet can execute six diverse attack approaches and has extra features like proxying, scanning, self-upgrading, persistence, file transferring, reverse shell, and many more.
The name Zergeca associated with this botnet came about due to the swarm-like behavior exhibited by Zerg in the StarCraft game that mirrors its aggressiveness and expansive character.
A reverse analysis of Zergeca revealed it was designed for the Linux platform and targeted x86-64 CPU architecture with possible spread to other platforms.
The Winnti Group has been linked to the Chinese government and some of the cyber-espionage campaigns conducted by this group have had financial motivations.
They consist of malware execution, gathering of local credentials, and sending data out using HTTP.
The group’s representative tools include PlugX RAT and ShadowPad, which are sometimes utilized in supply chain attacks. Measures to be put in place involve watching out for DLL side-loading, scheduled task abuse, and Windows service manipulation among others.
Attack graphs such as a series of continuous tests assist in enhancing the security posture against this threat actor.
Stuxnet is a highly complex computer worm, aimed at Siemens Step7 software employed in industrial control systems and in particular controlling uranium enrichment centrifuges.
It used zero-day vulnerabilities to get past air gaps on networks and manipulate programmable logic controllers (PLCs) into increasing the speeds of centrifuges leading them to malfunction consequently hitting Iran’s nuclear infrastructure.
With this attack, it was clear that traditional security is limited and demonstrated the need for re-evaluation of cyber security strategies with regard to a case study for defending critical infrastructures in the digital age.
Cyber Attack
The newly identified ransomware variant of RansomHub affects VMWare ESXi systems. These ESXi systems are used extensively in corporate organizations for managing virtualized infrastructures, and this makes them attractive.
Security vulnerabilities in ESXi can be exploited by threat actors to spread ransomware and conduct malicious operations.
RansomHub has been operating on its platform since February 2024 and it infects different OSes with malware coded using Go or C++. This is just one version of many variants of the New Ransomhub family which has had a strong presence throughout several regions.
Half of the car dealerships in America have been severely affected by a cyberattack on CDK Global which is known to be one of the largest automotive dealership software providers.
As a precautionary measure, most systems had to be closed down following the incident that began on Wednesday.
In this case, it caused significant disruptions leading to dealerships needing pen and paper to manage all their sales and service-related transactions.
Other automakers like Stellantis, Kia, and Toyota are assisting impacted dealerships in serving clients amid the downtime.
It stated that services could remain unavailable for days or more without giving any estimated time frame for resolving the disruption.
NHS pathology provider Synnovis’ sensitive data has been published due to a cyber-attack on London hospitals.
The hacker group known as Qilin, formed by Russian-speaking hackers, is responsible for the incident and this led to over 380GB of data being published.
Patient information and financial records were among those that have been exposed by these hackers. The IT systems of Synnovis were hacked by the attackers who then went on to encrypt files and demanded $50 million worth of ransom for their release.
Blood transfusion and testing capabilities have been severely affected by the attack thereby prompting the deferment of over 1,000 operations together with more than 2,000 appointments in seven hospitals affected. Together with partners, NHS is trying to find out how extensive the damage caused by this breach was.
Kaspersky researchers recently unveiled that 59% of real-life passwords are breakable with modern graphics cards in less than an hour and some technical knowledge.
To uncover these passwords they employed a combination of strong guessing and brute force algorithms.
Recommended by LinkedIn
This only goes to show how weak most real-world passwords are as well as how efficient brute-force attacks using GPUs can be.
For a small fee, even those who don’t own such processors can crack huge leaked password collections effectively.
For the last 20 months at least, Chinese hackers have been on a constant espionage mission against some Asian country’s telecommunication operators.
They also used specialized backdoors like Coolclient, Quickheal, and Rainyday in logging keystrokes, formatting files, and communicating with the command-and-control servers.
Similarly, there was also the use of keylogging malware, port scanning tools, and credential dumping.
This could be a multi-actor operation where many actors are involved or cooperating with each other. However, it is not clear whether it is meant for intelligence collection purposes or as an interception mechanism targeting the telecom sector.
UNC3886, the Chinese cyber espionage gang, has been exploiting numerous flaws in VMware and Fortinet products in order to access compromised environments and settle down for some considerable time.
These include vulnerabilities such as CVE-2023-34048 in VMware vCenter, CVE-2022-41328 in FortiGate, and CVE-2023-20867 in VMware ESXi that have helped the attackers place backdoors, steal data as well as maintain alternative entry into systems.
For this reason, NCSC TIB assesses them as sophisticated actors due to their use of publicly available rootkits like REPTILE, MEDUSA, and SEAELF and custom-made malware such as MOPSLED and RIFLESPINE.
Despite releasing patches by both companies, Fortinet and VMware, it is difficult to completely mitigate the risk due to the cautiousness of these threat actors.
Data Breach
Jollibee Foods Corporation, the Philippines’ largest fast-food chain, was breached by a threat actor.
Allegedly, this breach exposed sensitive information including of clients such as their names and addresses and payment details. The threat actor claimed to have gained access to Jollibee’s internal systems and moved away with substantial volumes of information.
As a precautionary measure, cybersecurity experts are asking customers to keep watch on their financial accounts and reset passwords.
No official word from Jollibee has been heard yet concerning the breach. It is anticipated that the company will carry out a comprehensive inquiry to establish how far it went and come up with preventive measures for future occurrences.
The attack in question has led to the loss of critical information on Accenture, a leading consulting firm in the world.
It is claimed that the breach involves personal data including names, addresses, and credit card numbers as well as SSN (Social Security Number) among others.
Data examples are said to have been posted by threat actor 888 on dark web forums supporting their claims.
At this point, no official statement has been made by Accenture, however, cybersecurity experts are urging them to thoroughly investigate the matter and notify employees who may be affected immediately.
The consequences of such an incident can be huge starting from identity theft to financial fraud and other hazards targeting hacked persons.
Amtrak customers were informed of a significant security breakdown concerning Amtrak Guest Rewards accounts. The breach took place between May 15, 2024, and May 18, 2024, enabling individuals who have no authority to access the accounts of users.
The hackers did not obtain login credentials through Amtrak’s systems but they did so by using third parties’ sources.
Compromised information includes names, contacts of users, account numbers, birthdates, payment details such as card information used to buy gifts, and records for transactions.
Some steps have been taken by Amtrak to ensure that their accounts are safe including resetting passwords reverting email addresses and putting in place multifactor authentication so as to strengthen security.
Advisories
To defend Azure environments from Octo Tempest, a notorious hacking group, Microsoft has revealed a playbook.
Implementing multi-factor authentication (MFA) for all users, particularly phishing-resistant MFA for administrators, blocking legacy authentication protocols, and making high-risk users change passwords were among the suggestions in the playbook.
Moreover, it suggests imposing user risk-based Conditional Access policies to check on suspicious sign-ins and isolating cloud admin accounts so as to limit password resets and MFA manipulation.
Vulnerability
There has been a new UEFI vulnerability, which was given the name “UEFIcanhazbufferoverflow” and it is found on several Intel processor families.
The flaw, assigned CVE-2024-0762, allows local threat actors to elevate privileges and execute remote code within the UEFI firmware during runtime.
Many PC and server products from Lenovo, Intel among others that are based on different original equipment manufacturers (OEMs) and original device manufacturers (ODMs) have been affected by this vulnerability.
This can be abused to plant a backdoor in devices with exposure to evade security measures and increase detection complexities. To mitigate risks concerned users are advised to upgrade vendor provided patches.
The Triton Inference Server of NVIDIA has been found to have two critical vulnerabilities, “CVE-2024-0087” and “CVE-2024-0088.”
These flaws allow for remote code execution and arbitrary address writing, posing significant risks to AI model security and sensitive data.
The first vulnerability involves the server’s log configuration interface, allowing attackers to write arbitrary files, including critical system files.
The second vulnerability stems from inadequate parameter validation in shared memory handling which enables threat actors to cause segmentation faults and potentially leak memory data.
So, it’s been recommended that companies using Triton Server must apply patches and enhance security protocols to mitigate these threats.
A newly discovered security vulnerability allows attackers to impersonate Microsoft corporate email accounts, significantly increasing the risk of phishing attacks.
The bug, found by researcher Vsevolod Kokorin, affects emails sent to Outlook accounts. Microsoft has not yet patched the issue, but has publicly disclosed the flaw.
The vulnerability allows threat actors to send convincing phishing emails that appear to come from legitimate Microsoft corporate accounts, posing a significant risk to Outlook users globally.
Fortra has issued a critical security advisory regarding a hard-coded password vulnerability (CVE-2024-5275) in its FileCatalyst software, specifically affecting the TransferAgent component.
This vulnerability poses a significant risk, potentially enabling machine-in-the-middle (MiTM) attacks. The vulnerability impacts all versions of FileCatalyst Direct up to 3.8.10 Build 138 and all versions of FileCatalyst Workflow up to 5.1.6 Build 130.
Fortra has provided remediation steps, including upgrading to the latest versions and updating REST calls to “http” if using the FileCatalyst TransferAgent remotely.
Google has released a critical security update for its Chrome browser in which it has addressed six high-severity vulnerabilities.
The vulnerabilities include type confusion in V8, inappropriate implementation in WebAssembly, out-of-bounds memory access in Dawn, and use-after-free issues in Dawn and WebCodecs.
These vulnerabilities could lead to browser crashes and other serious security issues. Users are advised to update their Chrome browsers immediately to the latest version in order to mitigate these threats.
Research
To combat phishing attacks, researchers have created a real-time browser extension with machine-learning capabilities, which is capable of identifying these websites with an extremely high accuracy rate of 98.32%.
This innovative approach promises to enhance online security by identifying the sophisticated zero-day phishing attacks that often evade traditional security measures.
The model was trained using the data obtained freely off the internet and the best algorithm turned out to be the Random Forest with an overall accuracy rate of 99.11%.
Besides this, the integration of machine learning into browser extensions represents a promising advancement in the cybersecurity landscape.