SAN MATEO, CA, April 17, 2023 — Cybersecurity news weekly roundup. Stories, news, politics, and events that impacted the network security industry last week. Brought to you by NetworkTigers.
- CISA: Android and Novi Survey vulnerabilities under attack
- LockBit may be the first major ransomware gang to target macOS with new encryptors
- Microsoft update patches 97 flaws, one of which has been exploited by ransomware gang
- FBI: Headline grabbing “cyberattack” on Florida city’s water supply seems to have been user error
- Apple: patch and update to protect devices against two actively exploited zero-day bugs
- Persistent criminals use dark web Android loaders to circumvent Google Play security features
- Yum! Brands experiences ransomware attack, sends breach notice to affected people
- Ongoing Balada Injector malware campaign infects more than 1 million WordPress sites
- Automotive security consultant has vehicle stolen via hack
- ARES Leaks platform usage increases after BreachForums shutdown
CISA: Android and Novi Survey vulnerabilities under attack
CISA has added two new severe vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, both of which are currently under active exploitation. CVE-2023-20963 is an Android Framework Privilege Escalation Vulnerability that allows “access users’ contacts, calendars, and photo albums without their consent” and CVE-2023-29492 is a Novi Survey Insecure Deserialization Vulnerability which “allows remote attackers to execute code on the server in the context of the service account.” CISA urges users to apply any necessary patches as soon as possible. Read more.
LockBit may be the first major ransomware gang to target macOS with new encryptors
Cybersecurity researchers at MalwareHunterTeam recently discovered a ZIP archive on VirusTotal that “contained what appears to be all of the available LockBit encryptors.” While the archive contained expected encryptors for Windows, Linux, and VMware ESXi servers, encryptors for macOS, ARM, FreeBSD, MIPS, and SPARC CPUs were also found. Mac-specific encryptors included those designed for both new M1 computers as well as older PowerPC machines. BleepingComputer, upon analysis of the encryptors, found that they appeared to be incomplete and may be test versions. Read more.
Microsoft update patches 97 flaws, one of which has been exploited by ransomware gang
A massive update issued by Microsoft fixes 97 flaws in the company’s software products, most notably one that has been observed being exploited in the wild in ransomware attacks. “Seven of the 97 bugs are rated Critical and 90 are rated Important in severity. Interestingly, 45 of the shortcomings are remote code execution flaws, followed by 20 elevation of privilege vulnerabilities. The updates also follow fixes for 26 vulnerabilities in its Edge browser that were released over the past month.” Security firm Kaspersky has reported that CVE-2023-28252 has been used by cybercriminals to infect victims with Nokoyawa ransomware. Read more.
FBI: Headline grabbing “cyberattack” on Florida city’s water supply seems to have been user error
A 2021 incident in which the water supply for Oldsmar, Florida was believed to have been accessed by a hacker has resulted in the FBI reporting that they actually found no evidence of a cyberattack. The alleged hack, which saw a potentially hazardous increase in the the amount of lye briefly added to the city’s water, made international headlines and drew attention to the systems used to control and monitor the country’s most vulnerable infrastructure as well as their poor or outdated cybersecurity. However, the incident appears to have been accidentally caused by the same employee who reported it. Read more.
Apple: patch and update to protect devices against two actively exploited zero-day bugs
Two new zero-days affected Apple devices have resulted in the company pushing out a patch. CVE-2023-28205, “is a flaw in Apple iOS, iPad OS, macOS, and Safari WebKit that could lead to code injection while processing malicious Web content,” according to CISA. CVE-2023-28206, the second of the two flaws, “affects Apple iOS, iPadOS, and macOS IOSurfaceAccelerator that, worryingly, could allow a malicious app to execute code with kernel privileges.” Both flaws are being exploited in the wild, meaning Apple users would do well to immediately update their systems. Read more.
Persistent criminals use dark web Android loaders to circumvent Google Play security features
Cybercriminals are using a number of means by which to evade Google’s security features and still get malicious apps up on the Google Play store. According to findings from Kaspersky, “the most popular application categories to hide malware and unwanted software include cryptocurrency trackers, financial apps, QR-code scanners, and even dating apps.” Threat actors are using loader programs, some of which cost up to $20,000, and stolen Google Play developer accounts to inject malware into already existing apps, thereby poisoning supposedly safe downloads. Users of Android devices are advised to “refrain from installing apps from unknown sources, scrutinize app permissions, and keep their devices up-to-date.” Read more.
Yum! Brands experiences ransomware attack, sends breach notice to affected people
Yum! Brands, owner of KFC, Pizza Hut and Taco Bell, is sending breach notifications to an undisclosed number of people after the company experienced a ransomware attack in which personal information was stolen. The attack, which took place on January 13th, was initially said to have no affected customer data. However, “Yum! Brands revealed that it has now found out the attackers stole some individuals’ personal information, including names, driver’s license numbers, and other ID card numbers” related to employees. When the attack took place, Yum! Brands shut down around 300 restaurants in the UK. Read more.
Ongoing Balada Injector malware campaign infects more than 1 million WordPress sites
A campaign underway since 2017 has infected more than 1 million WordPress sites with a malware called Balada Injector. According to GoDaddy’s Sucuri, the campaign “leverages all known and recently discovered theme and plugin vulnerabilities” to breach WordPress sites. The attacks are known to play out in waves once every few weeks.” The campaign uses newly registered domains hosting malicious code to direct users to scam sites that mimic tech support platforms, fake lottery wins and “rogue CAPTCHA pages urging users to turn on notifications to ‘Please Allow to verify, that you are not a robot,’ thereby enabling the actors to send spam ads.” Read more.
Automotive security consultant has vehicle stolen via hack
In a twist of irony, automative security consultant Ian Tabor saw his Toyota RAV4 stolen after criminals dismantled its bumper to access the vehicle’s electronic control unit behind its headlight. “Once connected via the headlight, they hacked their way into the CAN bus — responsible for functions like the parking brakes, headlights, and smart key — through a gateway and then into the powertrain panel, wherein lies the engine control.” While the technological advancement of modern vehicles make them more comfortable, easier, and safer to drive, savvy carjackers can subvert these complex systems in ways that allow them to make off with vehicles without ever touching a physical key. Read more.
ARES Leaks platform usage increases after BreachForums shutdown
In the wake of the FBI’s seizure of BreachForums, a threat group called ARES appears eager to fill the void with their own data leak forum. ARES Leaks is the group’s main platform, hosted on the regular web and offering data leaks from across 65 countries. As expected, transactions are made in crypto and ARES has even advertised “job opportunities” for malware developers. Private VIP channels are also available on ARES Leaks, which researchers believe are used to facilitate transactions involving data from high profile victims. LeakBase is another ARES-backed platform, also offering data for sale. It would appear that ARES is hoping to capitalize on the closure of BreachForums in whatever manner possible and could be responsible for the next major illicit marketplace. Read more.