SAN MATEO, CA, April 24, 2023 — Cybersecurity news weekly roundup. Stories, news, politics, and events that impacted the network security industry last week. Brought to you by NetworkTigers.
- Critical security updates issued by Cisco and VMware
- Abandoned WordPress plugin used by threat actors to create malicious backdoors
- Lazarus Group targeting Linux users with new malware
- Human error contributed to DC Health Link data breach
- Iranian hacker collective targeting US energy and transportation infrastructure
- Actively exploited Chrome zero-day receives patch from Google
- Former Conti and FIN7 members build new Domino malware
- NSO has deployed zero-click hacks against iPhone users
- Chameleon Android malware poses as government, banking and crypto apps
- RTM Locker ransomware gang uses unique tactics to reap rewards while remaining hidden
Critical security updates issued by Cisco and VMware
Patches have been issued by both Cisco and VMware that address exploits threat actors can use to execute arbitrary code. The flaws patched range from medium to high severity and the update is considered to be critical in nature. The most severe flaw, CVE-2023-20036 with a CVSS score of 9.9, is a “command injection flaw in Cisco Industrial Network Director, which resides in the web UI component and arises as a result of improper input validation when uploading a Device Pack.” Users of affected Cisco and VMware products are encouraged to update immediately, as these appliances continue to be high-priority targets for hackers. Read more.
Abandoned WordPress plugin used by threat actors to create malicious backdoors
Eval PHP, a WordPress plugin that “allows site admins to embed PHP code on pages and posts of WordPress sites and then execute the code when the page is opened in the browser,” is being exploited by attackers to compromise websites and create backdoors. The plugin is a legitimate WordPress offering, but it has not been updated in the last ten years and is considered to have been abandoned. However, it can still be utilized via the WordPress plugin repository. The trend of abusing Eval PHP has been growing with security firm Sucuri reporting that, on average, 4,000 malicious installations take place per day. Read more.
Lazarus Group targeting Linux users with new malware
North Korean state-backed hacking gang Lazarus Group has been busy targeting Linux users with new malware in an ongoing campaign that researchers have dubbed “Operation Dream Job.” The findings mark the first time Lazarus Group has used Linux malware in their campaigns, which see the threat actors deploying fraudulent job offers to victims only to get them to download malicious code. Researchers believe that the group is spreading this malware through LinkedIn links sent via direct message or spear phishing. Read more.
Human error contributed to DC Health Link data breach
The breach of DC Health Link, the health insurance marketplace used by members of congress and their dependents, has been found to be partially caused by human error. Mila Kofman, Executive Director of the District of Columbia Health Benefit Exchange Authority, said that the FBI traced the issue down to a server that was “misconfigured to allow access to the reports on the server without proper authentication. Based on our investigation to-date, we believe the misconfiguration was not intentional but human mistake.” It was this misconfiguration that then “enabled an unidentified hacker to steal two reports that contained the client information — some of which was later offered up for sale in an online forum.” Read more.
Iranian hacker collective targeting US energy and transportation infrastructure
Mint Sandstorm, an Iranian state-sponsored hacker group, has been found to have been launching attacks at critical US infrastructure between late 2021 and mid-2022. According to an analysis from the Microsoft Threat Intelligence Team, Mint Sandstorm “is technically and operationally mature, capable of developing bespoke tooling and quickly weaponizing N-day vulnerabilities, and has demonstrated agility in its operational focus, which appears to align with Iran’s national priorities.” The group has reportedly targeted “seaports, energy companies, transit systems, and a major U.S. utility and gas company.” Read more.
Actively exploited Chrome zero-day receives patch from Google
For the second time this year, Google has issued a patch to resolve an actively exploited zero-day vulnerability in its Chrome browser. The vulnerability, CVE-2023-2136 is described as “a high-severity integer overflow vulnerability in Skia, a Google-owned open-source multi-platform 2D graphics library written in C++.” Successful exploitation of the flaw can allow a threat actor to perform “arbitrary code execution that leads to unauthorized system access.” The Chrome patch fixes eight vulnerabilities in total. Read more.
Former Conti and FIN7 members build new Domino malware
A new malware targeting corporate victims has been developed by ex-Conti members and the FIN7 threat actor group. “Domino is a relatively new malware family consisting of two components, a backdoor named ‘Domino Backdoor,’ which in turn drops a ‘Domino Loader’ that injects an info-stealing malware DLL into the memory of another process.” Domino appears to be a multifaceted malware, capable of installing info stealers as well as Cobalt Strike. Malicious developers, especially those that create ransomware, are prone to collaboration thus making the lines between established groups difficult to distinguish. Read more.
NSO has deployed zero-click hacks against iPhone users
NSO Group, an Israeli surveillance firm with a reputation for selling its wares to political leaders and parties known to abuse human rights, has been found by Citizen Lab to have deployed “at least three iOS 15 and iOS 16 zero-click exploit chains against civil society” throughout the last year. PWNYOURHOME and FINDMYPWN exploit Apple’s HomeKit app and the Find My iPhone feature, respectively, but researchers have noted that Apple’s Lockdown Mode was effective in detecting PWNYOURHOME. NSO has come under fire recently, most notably due to its development of Pegasus spyware. Read more.
Chameleon Android malware poses as government, banking and crypto apps
A new Android malware called Chameleon has been observed by cybersecurity firm Cyble. The malware is being distributed via “compromised websites, Discord attachments, and Bitbucket hosting services” and allows for “stealing user credentials through overlay injections and keylogging, cookies, and SMS texts from the infected device.” To evade detection, Chameleon first scans a potential victim’s device for any signs that it may be able to detect it. Once the environment has been deemed hospitable, “Chameleon requests the victim to permit it to use the Accessibility Service, which it abuses to grant itself additional permissions, disable Google Play Protect, and stop the user from uninstalling it.” Read more.
RTM Locker ransomware gang uses unique tactics to reap rewards while remaining hidden
RTM (Read The Manual) Locker, a ransomware gang, has been observed building a few interesting features into their malware to evade detection while still strong-arming corporate victims into paying up. According to experts at cybersecurity firm Trellix, “the panel’s login page requires a username and password combination, along with a captcha code to prevent brute force login attempts by other actors and researchers alike.” To aid RTM in extorting major victims while avoiding attention, a company must remain active after being targeted or their ability to contact Trellix will be revoked. This technique keeps a company shutdown from attracting attention and pushes victims into following the gang’s rules. Read more.
More cybersecurity news
- Last week’s news
- All cybersecurity news and articles are brought to you by NetworkTigers.