SAN MATEO, CA, August 14, 2023 — Cybersecurity news weekly roundup. Stories, news, politics, and events that impacted the network security industry last week. Brought to you by NetworkTigers.
- CISA reports third backdoor discovered in Barracuda ESG spyware campaign
- Fortinet warns of thousands of attacks hoping to exploit EoL Zyxel routers
- Modern CPUs vulnerable to trio of new side-channel attacks
- Russia implicated in UK Electoral Commission cyberattack as prime suspect
- High-ranking Microsoft 365 users targeted in EvilProxy phishing scheme
- Cloudflare Tunnels abused by threat actors to create undetected connections
- New malware campaign preys upon rookie cybercriminals
- Redis servers targeted with new Skidmap malware variant
- Clop ransomware using torrents to leak stolen data
CISA reports third backdoor discovered in Barracuda ESG spyware campaign
CISA has released an advisory reporting that a third backdoor used by threat actors attacking Barracuda ESG users has been found. Called “Whirlpool,” CISA says that the “malware takes two arguments (C2 IP and port number) from a module to establish a Transport Layer Security (TLS) reverse shell. The module that passes the arguments was not available for analysis.” Barracuda’s ESG appliances have been hit repeatedly over the last few months, with hackers using methods to maintain persistence that were stubborn enough to prompt the manufacturer to offer users replacement devices. The campaign, believed to be carried out for cyber espionage, has been linked to Chinese state-sponsored actors. Read more.
Fortinet warns of thousands of attacks hoping to exploit EoL Zyxel routers
According to a warning from Fortinet, the Gafgyt botnet malware is attempting to exploit a flaw in Zyxel P660HN-T1A routers via thousands of daily attacks. The router is at the end of its life, and threat actors are looking to take advantage of CVE-2017-18368. This is an old vulnerability, with Zyxel pushing a patch for it in 2017. It is unknown if the campaign is yielding many successful infections. Still, it signals the importance of keeping older products current as hackers dip into back catalogs of vulnerabilities to target those who have not kept up with updates. Read more.
Modern CPUs vulnerable to trio of new side-channel attacks
Three new side-channel attacks that could be carried out against modern CPUs to steal data have been identified by cybersecurity researchers. Called “Collide+Power,” “Downfall,” and “Inception,” these attacks “follow the disclosure of another newly discovered security vulnerability affecting AMD’s Zen 2 architecture-based processors known as Zenbleed.” According to researchers, “Downfall and Zenbleed allow an attacker to violate the software-hardware boundary established in modern processors,” which may give an attacker the ability to “access data in internal hardware registers that hold information belonging to other users of the system.” Inception “plants an ‘idea’ in the CPU while it is ‘dreaming,’ to make it take wrong actions based on supposedly self-conceived experiences.” Read more.
Russia implicated in UK Electoral Commission cyberattack as prime suspect
A cyberattack against the UK Electoral Commission that exposed the data of 40 million voters and persisted for two years has left UK authorities to list Russia as the prime suspect. Discovered in October of 2022, the attack exposed “all those in the UK who were registered to vote between 2014 and 2022, as well as the names of those registered as overseas voters.” The means of the attack are yet to be publicized, but “signs of ransomware” are said to have been detected in the breach. According to the UK Electoral Commission, the long time it took to discover the hack was because it had “used a sophisticated infiltration method intended to evade our checks.” Read more.
High-ranking Microsoft 365 users targeted in EvilProxy phishing scheme
Threat actors are increasingly turning to the phishing platform EvilProxy, with a campaign discovered by Proofpoint having blasted 120,000 emails to more than 100 organizations to steal Microsoft 365 user accounts. The security firm warns that successful attacks targeting the cloud accounts of high-ranking executives have been surging. EvilProxy is especially clever because it “employs reverse proxies to relay authentication requests and user credentials between the user (target) and the legitimate service website,” allowing threat actors to bypass MFA security features. C-level victims are highly prioritized in this campaign and the only defense against attack is a higher degree of security awareness. Read more.
Cloudflare Tunnels abused by threat actors to create undetected connections
A tactic in which hackers abuse Cloudflare Tunnels to “create stealthy HTTPS connections from compromised devices, bypass firewalls, and maintain long-term persistence,” reported by Phylum in January 2023, has increased in popularity. “CloudFlare Tunnels is a popular feature provided by Cloudflare, allowing users to create secure, outbound-only connections to the Cloudflare network for web servers or applications.” Even more troubling, the company’s “TryCloudflare” feature allows users to create a one-time tunnel without ever making an account. “To detect unauthorized use of Cloudflare Tunnels, GuidePoint recommends that organizations monitor for specific DNS queries (shared in the report) and use non-standard ports like 7844.” Read more.
New malware campaign preys upon rookie cybercriminals
In another example of “no honor among thieves,” bot mitigation company Masada has identified a malware campaign that uses OpenBullet configuration files to prey upon inexperienced criminals. According to Kasada, the campaign is built to “exploit trusted criminal networks.” It shows that savvy hackers are happy to devour beginners and use a RAT to steal their sensitive information. OpenBullet is an open-source pen-testing tool that “takes in a configuration file tailored to a specific website and can combine it with a password list procured through other means to log successful attempts.” These configs are bought and sold by hackers, often to those too inexperienced to generate their own, and therein lies the opportunity for attack. Read more.
Redis servers targeted with new Skidmap malware variant
Redis servers are now being targeted by a “new, improved, dangerous” variant of Skidmap, a cryptocurrency mining malware discovered in 2019, according to researchers at Trustwave. The firm reposts that the malware can “adapt to the system on which it is executed.” Trustwave says they discovered a tactic that “involves breaching poorly secured Redis server instances to deploy a dropper shell script designed to distribute an ELF binary that masquerades as a GIF image file.” The malware is very difficult to detect, with researchers saying that on home computers, the only indication of infection was “excessive operations of fans” and a higher case temperature in laptops. Read more.
Clop ransomware using torrents to leak stolen data
The Clop ransomware gang, recently having grabbed headlines with their hack of MOVEit, have changed their operations and now use torrents to leak data stolen in their attacks. Previously, the gang employed Tor and clearweb sites to leak information, but each had drawbacks related to traceability and download speeds. The nature of torrents decentralizes the source of the data and speeds up downloads. It is expected that Clop and other gangs may continue to move in this direction, as it’s easier than creating a custom site and allows for an even broader distribution of stolen data. Read more.