SAN MATEO, CA, August 21, 2023 — Cybersecurity news weekly roundup. Stories, news, politics, and events that impacted the network security industry last week. Brought to you by NetworkTigers.
- New BlackCat ransomware variant embeds Impacket and RemCom onto targeted systems
- Microsoft PowerShell Gallery can be used to set the stage for a number of attacks
- CISA reports on critical Citrix ShareFile flaw under active exploitation
- Major flaws in Ivanti Avalanche affect 30,000 organizations
- LinkedIn users targeted in widespread account stealing campaign
- Hackers using fake beta apps to circumvent app store security policies
- Avada WordPress theme and plugin contains multiple security flaws
- Fake TripAdvisor complaints hiding new Knight ransomware
- Newly discovered Python URL parsing flaw could allow for command execution attack
New BlackCat ransomware variant embeds Impacket and RemCom onto targeted systems
Microsoft has discovered a new variant of the BlackCat ransomware that can utilize tools such as RemCom and Impacket to allow for remote code execution and lateral movement within an infected system. According to the company’s threat intelligence team, the RemCom hacktool is embedded in the executable for remote code execution. “The file also contains hardcoded compromised target credentials that actors use for lateral movement and further ransomware deployment.” Ransomware actors continue to evolve their methods and are still a persistent threat, with some operations forgoing encryption altogether in favor of just exfiltration or triple extortion attacks that “blackmail a victim’s employees or customers and carry out DDoS attacks to put more pressure.” Read more.
Microsoft PowerShell Gallery can be used to set the stage for a number of attacks
Micosoft’s PowerShell Gallery code repository has been found to allow threat actors to build typosquatting attacks, easily spoof popular packages by copying their author and copyright information, and otherwise prime themselves for supply chain disruption. An additional flaw can expose unlisted packages and modules. AquaSec’s Nautilus team researchers that discovered these bugs say that “this uncontrolled access provides malicious actors with the ability to search for potentially sensitive information within unlisted packages.” AquaSec reported the weaknesses in the repository in September of 2022, but Microsoft has not closed the loopholes on their end, stating that exploitation “relies on social engineering to be successful.” Read more.
CISA reports on critical Citrix ShareFile flaw under active exploitation
CISA warns that hackers in the wild are targeting a major flaw in Citrix ShareFile. Citrix publicized the vulnerability, which has a 9.8/10 critical severity score and “could allow unauthenticated attackers to compromise customer-managed storage zones,” in June. According to the researchers, a threat actor could use the flaw to “achieve unauthenticated arbitrary file upload and full remote code execution by exploiting a seemingly innocuous cryptographic bug.” Managed file transfer solution vulnerabilities have become lucrative targets for hackers searching for sensitive material they can use for extortion. Read more.
Major flaws in Ivanti Avalanche affect 30,000 organizations
A report from cybersecurity researchers at Tenable says that multiple security flaws within the enterprise mobile device management solution Ivanti Avalanche are “the result of buffer overflows arising as a consequence of processing specific data types.” The vulnerabilities are collectively tracked as CVE-2023-32560 and, if exploited successfully, could allow a threat actor to achieve remote code execution or simply crash the system. Over 30,000 organizations use Ivanti Avalanche, and hackers have recently targeted the company. Users are urged to update to the latest version immediately. Read more.
LinkedIn users targeted in widespread account stealing campaign
Security firm Cyberint has reported that a major campaign is underway in which LinkedIn users are being locked out of their accounts due to security reasons or having their accounts hijacked by cyber attackers using credentials found from leak sites or via brute force entry. LinkedIn is lagging with support for this issue, seemingly due to the influx of requests regarding account recovery. In some cases, the hackers demand a ransom from account holders to regain control and, in other examples, delete the account altogether. LinkedIn has yet to provide an official response related to this wave of hacks. Read more.
Hackers using fake beta apps to circumvent app store security policies
According to the FBI, hackers promote malicious “beta” versions of crypto-related apps and then use them to steal from those who download them. By submitting these apps as “betas,” criminals can bypass the typical inspections that apps are subjected to before being hosted, as beta apps undergo far less scrutiny. The malicious apps mimic those offered by trusted companies and are proliferated via phishing or romance scams. Users are urged to check with an app’s alleged publisher to verify the legitimacy of any beta software and be vigilant about apps asking for permissions unrelated to their advertised functionality. Read more.
Avada WordPress theme and plugin contains multiple security flaws
Security researchers at Patchstack have uncovered several vulnerabilities hiding within the Avada theme and Avada Builder, both popular with users of WordPress. Within the Avada Builder exists an Authenticated SQL Injection (CVE-2023-39309) that, if exploited, could allow threat actors to “breach sensitive data and potentially execute remote code.” Avada Builder also hosts a Reflected Cross-Site Scripting (XSS) vulnerability (CVE-2023-39306), “enabling unauthenticated attackers to pilfer sensitive information and potentially heighten their privileges on impacted WordPress sites.” Avada theme has also been found to have a number of exploits that could allow for remote code execution. Users are urged to update their Avada plugins immediately. Read more.
Fake TripAdvisor complaints hiding new Knight ransomware
A researcher at Sophos has identified a spam campaign in which messages masquerading as TripAdvisor complaint emails are being sent out to distribute Knight ransomware. Victims who get the email receive a ZIP attachment labeled “TripAdvisorComplaint.zip” that contains an executable named “TripAdvisor Complaint – Possible Suspension.exe.” Knight is a rebrand of Cyclops ransomware-as-a-service. Cyclops only launched in May of 2023, but in July, the outfit changed its name to Knight and made a public request for new members. No victim names or stolen info has been posted on the Knight data leak site. Read more.
Newly discovered Python URL parsing flaw could allow for command execution attack
In an advisory, the CERT Coordination Center warns that a high-severity flaw in the Python URL parsing function has been discovered. A threat actor could exploit the bug to “bypass domain or protocol filtering methods implemented with a blocklist,” leading to command execution. The advisory states that “urlparse has a parsing problem when the entire URL starts with blank characters. This problem affects the parsing of hostname and scheme and eventually causes blocklisting methods to fail.” The flaw, listed as CVE-2023-24329, “would help an attacker to bypass the protections set by the developer for scheme and host. This vulnerability can be expected to help SSRF and RCE in a wide range of scenarios.” Read more.