SOCRadar: 'On The Radar' Newsletter

The third edition of SOCRadar's "On The Radar" LinkedIn special newsletter is here. You'll find the latest cybersecurity news, solutions, and exclusive community announcements (webinars, events etc.).

Hot Stories This Week

• Decrypting the Shadows: Revealing the Secrets of Ransomware Operators – An Interview with @htmalgae

Meet @htmalgae, an anonymous security researcher with a wealth of experience in web application development. In the digital realm, htmalgae operates under this unique handle, and in the physical world, he is a senior software engineer at a prominent company. His recent findings have garnered significant attention, shedding light on the inner workings of ransomware operators. (Click here to read more.)

• 3 AM Ransomware: A Modern Threat with a Vintage Twist

The 3 AM ransomware group has recently been spotlighted for its cybercriminal activities. However, why it is the topic of the day is their choice of technology. A recent tweet by a security researcher highlighted that the 3 AM ransomware gang is using an ancient PHP script, Yugeon Web Clicks v0.1, released in 2004, to monitor page views on their website. This choice of outdated technology raises several questions about the group’s modus operandi and the reasons behind such a decision.

The 3 AM ransomware group’s decision to use an outdated PHP script is a testament to the unexpected nature of cybercriminals. While they employ advanced ransomware strains to target organizations, strategy, convenience, and overconfidence might drive their backend choices. Organizations must be vigilant and adopt a comprehensive security posture, considering that threats can come from cutting-edge and outdated technologies.

SOCRadar provides advanced threat actor tracking, allowing organizations to proactively monitor and understand the tactics of threat actors and APT groups. Using automated data collection and AI-driven analysis across various web layers, SOCRadar alerts users about APT activities, enhancing their ability to detect and counteract malicious actions. The platform’s alignment with the MITRE ATT&CK framework further ensures up-to-date threat intelligence.  (Click here to read more.)

• ‘Nightmangle’ Telegram C2 Agent and New FUD Crypter with Windows Defender Bypass

Hackers favor Telegram as a platform for various activities, such as communication, announcements, advertisements, and recruitment. A red team enthusiast recently shared their latest development, revealing how threat actors can further exploit the platform. They introduced a new post-exploitation Command and Control (C2) Agent explicitly built for Telegram. This agent, Nightmangle, quickly gained attention on its GitHub repository, accumulating 42 stars and some forks to other projects within two days of its launch.

SOCRadar delves into the enigmatic world of the dark web, where security threats abound, and diligently filters and highlights the most crucial events, providing valuable insights. With the Dark Web Monitoring module, SOCRadar promptly updates you on Telegram channel activities, discussions among hackers on dark web forums, and cybersecurity incidents targeting your digital assets. SOCRadar scans the dark web for leaked data and promptly reports such occurrences through the Dark Web News module. We aim to detect leaked data and alert the potential victim before an incident escalates into a catastrophe. (Click here to read more.)

• WS_FTP Server Critical Vulnerabilities: What You Need to Know (CVE-2023-40044, CVE-2023-42657)

In the ever-changing cybersecurity landscape, staying updated with current vulnerabilities is crucial. The recent issues discovered in the WS_FTP Server underscore this fact. This article explores the details of these vulnerabilities, their possible consequences, and the suggested solutions. In September 2023, several vulnerabilities affecting the WS_FTP Server came to light. The Progress WS_FTP team promptly acknowledged these security gaps and released corresponding patches. Let’s shed some light on the most severe of these vulnerabilities:

Staying updated with vulnerabilities is paramount in an age of sophisticated cyber threats. Companies like SOCRadar, with its advanced Vulnerability Intelligence, empower businesses to stay ahead of potential threats. Utilizing such intelligence, businesses can timely identify, analyze, and remediate vulnerabilities, ensuring a more robust security posture.  (Click here to read more.)

• Microsoft AI Repository Exposes 38TB of Data: A Tale in AI and Cloud Security

Researchers have discovered a concerning surge in deceptive npm and PyPI packages distributed as part of a malicious campaign to extract Kubernetes configurations and SSH keys from compromised systems.

The domain used in the campaign (app.threatest[.]com) was found to resolve two Cloudflare IP addresses. Additionally, researchers observed the use of Chinese characters in code comments, which is noteworthy. Nevertheless, this information does not identify a specific threat actor. Researchers identified additional packages in the subsequent days of the campaign’s launch. The campaign began with an initial release of packages in the npm package repository, but as it evolved, the attackers expanded their distribution to include packages on PyPI.

Researchers report that, to date, the campaign has generated 46 publications across 39 distinct packages within the two ecosystems (npm and PyPI).

With the Supply Chain Intelligence feature under SOCRadar’s CTI module, you can include your vendors on a WatchList and stay vigilant regarding the most recent incidents that might affect your organization’s security. (Click here to read more.)

• Critical Zero-Day Vulnerability in ‘libwebp’: CVE-2023-4863 Reassigned as CVE-2023-5129

Google has issued a new CVE identifier for a critical zero-day vulnerability under active exploitation. The vulnerability, CVE-2023-5129, was initially misidentified as a Chrome vulnerability (CVE-2023-4863). However, the vulnerability has been revealed to affect the libwebp image library used for rendering images in WebP format, specifically stemming from the Huffman coding algorithm. 

The libwebp image library is integrated into nearly every operating system and application, including those built on Electron. Consequently, the CVE-2023-5129 vulnerability does not solely impact web browsers but affects any software employing the libwebp library. The libwebp vulnerability is severe, with a maximum CVSS score of 10. The previous advisory with the identifier CVE-2023-4863 had a CVSS score of 8.8; because the wide availability of libwebp broadens the attack surface, the CVSS score has also been updated.

SOCRadar offers comprehensive solutions that enable you to easily detect, assess, and remediate vulnerabilities in real time. With its Vulnerability Intelligence module, the platform continuously monitors vulnerabilities. Using the module, you can search for vulnerabilities, access detailed information and related activities, and track hacker trends. (Click here to read more.)

• Microsoft SharePoint Server Elevation of Privilege Vulnerability Exploit (CVE-2023-29357)

• TeamCity Authentication Bypass Flaw: CVE-2023-42793

Hot Events of Next Week

#AISA Annual #Cybersecurity Summit 2023: 🔥 Brace yourselves as the cyber-realm descends upon Melbourne! With the #AISA Annual #Cybersecurity Summit 2023, the Melbourne Exhibition and Convention Centre will transform into a hub of cyber intellect on 17-19 October. We will be there with our esteemed partner, KODE-1.

🚀 Witness industry maestros share invaluable insights during eye-opening keynotes, engaging panel discussions, and live demonstrations tailored for #business leaders aiming to fortify their domains against evolving digital threats.

📣 Meet with a vibrant community of directors, managers, tech specialists, and more. It's where business meets binary, law intersects with logic, and risk takes a rendezvous with resolution. The networking potential is as vast as the cyber horizon.

🔎 Uncover SOCRadar's latest cyber protection strategy at Booth No 95, where the nexus of technology meets real-world solutions.

📅 Mark your calendars and be part of reshaping the cyber narrative: https://lnkd.in/dkx8HNFv

SOCRadar 'Product Insights' This Week

Meet "SOCRadar Mobile App"

If you are one of our valuable +10,000 subscribers, SOCRadar's mobile app is now available for download. Just search "SOCRadar Mobile" on Google Play & App Store! And for starting to use, check the "Account Settings" on the Platform homepage now! You can log in using a QR code there. Don't forget to check your inbox this week for more details about the mobile app! 

SOCRadar in the Press

• Researchers Release Details of New RCE Exploit Chain for SharePoint (Dark Reading, September 28) 
• Suspicious New Ransomware Group Claims Sony Hack (Dark Reading, September 27) 
• Hackers are Threatening To Sell Sony’s Data On The Dark Web (Noobfeed, September 27) 
• JetBrains TeamCity's critical vulnerability opens the door for supply chain attacks (ITPro, September 25) 
• A new campaign distributes malicious npm and PyPI packages to Pilfer Kubernetes Config and SSH keys (Crypto-ID, September 28) 
• There are 100,000 servers vulnerable to the Microsoft Sharepoint RCE exploit circulating online (Redhotcyber, September 29)