SAN MATEO, CA, August 28, 2023 — Cybersecurity news weekly roundup. Stories, news, politics, and events that impacted the network security industry last week. Brought to you by NetworkTigers.
- 2.6 million Duolingo users have data leaked on hacking forum
- FBI warns that Barracuda ESG appliances are still vulnerable in spite of patch
- Lazarus Group using ManageEngine to infect victims with new CollectionRAT
- Lapsus$ teen hackers convicted of cyberattacks
- Cisco VPNs are being targeted by new Akira ransomware
- Scarab ransomware attacks surging due to malicious Spacecolon toolset
- TP-Link smart bulbs capable of stealing wifi credentials
- Threat actors could take over a PC using new WinRAR vulnerability
- New Chrome feature will warn users if they download a malicious browser extension
- Android malware apps using APK compression to remain under the radar
2.6 million Duolingo users have data leaked on hacking forum
Duolingo, a language learning platform utilized by more than 74 million monthly users, has suffered a breach that has resulted in the data of 2.6 million customers posted on a hacking forum. Duolingo has confirmed that the data was sourced for public-facing profiles and has stated that their systems had not been internally compromised. The data contains Duolingo user names and email addresses, causing concern that it will be used to craft sophisticated phishing attacks. It is an example of why many security researchers feel that companies must prioritize preventing data scraping from their services. Duolingo is coming under fire for security lapses in its API that allow for “unauthorized access to email addresses associated with Duolingo accounts.” Read more.
FBI warns that Barracuda ESG appliances are still vulnerable in spite of patch
The FBI has warned that Barracuda Email Security Gateway (ESG) appliances are still vulnerable to attack, as patched instances of the devices are still being compromised despite the fix. Barracuda urged users to physically replace their units because they could not guarantee that all malware would be removed even if patched, and now the FBI is recommending the same. “The FBI strongly advises all affected ESG appliances be isolated and replaced immediately, and all networks scanned for connections to the provided list of indicators of compromise immediately.” Barracuda’s products have been under heavy attack from hackers that the FBI says are based in China. Read more.
Lazarus Group using ManageEngine to infect victims with new CollectionRAT
Lazarus Group, North Korea’s most notorious state-sponsored hacker collective, exploits a vulnerability in Zoho’s ManageEngine ServiceDesk to penetrate healthcare organizations and internet infrastructure providers in the US and the UK. Through investigating Lazarus’ actions, researchers have determined that the group has developed a new malware called CollectionRAT. CollectionRAT’s capabilities include “arbitrary command execution, file management, system information gathering, reverse shell creation, new process spawning, fetching and launching new payloads, and self-deletion.” It can also “decrypt and execute its code on the fly, evade detection, and thwart analysis,” thanks to the Microsoft Foundation Class (MFC) framework. Read more.
Lapsus$ teen hackers convicted of cyberattacks
One of the leaders of Lapsus$, the upstart hacking outfit that grabbed headlines last year for a sudden spree of hacks against major companies such as Uber, Microsoft, Cisco, Okta, Nvidia, T-Mobile, Samsung, Vodafone, Ubisoft, 2K, Globant, and Rockstar Games, has been found guilty. Arion Kurtaj, an 18-year-old from Oxford, England, along with the rest of Lapsus$, showed the world how easy it could be to penetrate supposedly high-security networks and did so with arrogance and “juvenile” glee. Kurtaj is to be sentenced later, and Lapsus$, having come under intense scrutiny from law enforcement last year, has been inactive since September of 2022. Read more.
Cisco VPNs are being targeted by new Akira ransomware
Akira ransomware, launched in March of 2023, is believed to be focusing attacks on Cisco VPN products to breach corporate networks. Akira has been observed “using the RustDesk open-source remote access tool to navigate compromised networks, making them the first ransomware group known to abuse the software.” The abuse of this legitimate tool allows Akira to avoid raising any flags, achieve “cross-platform operation on Windows, macOS, and Linux,” encrypt P2P connections, and support file transfers. It is highly recommended that users employ multi-factor authentication of any Cisco VPN products. Read more.
Scarab ransomware attacks surging due to malicious Spacecolon toolset
Variants of Scarab ransomware are being widely spread, thanks to deploying a malicious toolset dubbed Spacecolon. Spacecolon is capable of a range of actions due to having the ability to access third-party tools. The threat actor responsible has been named CosmicBeetle by ESET security firm researchers, and while several variants of Spacecolon contain the Turkish language, the origin of the threat is not currently known or linked to any specific group. According to researchers, the toolset “probably finds its way into victim organizations by its operators compromising vulnerable web servers or brute forcing RDP credentials… CosmicBeetle does not choose its targets; rather, it finds servers with critical security updates missing and exploits that to its advantage.” Read more.
TP-Link smart bulbs capable of stealing wifi credentials
TP-Link smart bulbs, controlled via the TP-Link Tapo app, have been discovered to harbor four vulnerabilities that could allow threat actors to steal a user’s wifi password. The first flaw allows threat actors to impersonate the device during session key exchange. The second is due to a “hard-coded short checksum shared secret, which attackers can obtain through brute-forcing or by decompiling the Tapo app.” Flaw three “is a medium-severity flaw concerning the lack of randomness during symmetric encryption that makes the cryptographic scheme predictable.” The fourth problem is due to the device “keeping session keys valid for 24 hours, and allowing attackers to replay messages during that period.” The Tapo app has 10 million downloads in the Google Play marketplace. Read more.
Threat actors could take over a PC using new WinRAR vulnerability
WinRAR contains a high-severity security flaw that, if successfully exploited, could allow an attacker to execute remote code on a targeted Windows system. According to the Zero Day Initiative, “the issue results from the lack of proper validation of user-supplied data, which can result in a memory access past the end of an allocated buffer.” An aspect of social engineering is required on the part of the attacker, as “exploitation requires user interaction in that the target must be lured into visiting a malicious page or by simply opening a booby-trapped archive file.” The flaw is fixed in the latest version of WinRAR, released on August 2, 2023. Read more.
New Chrome feature will warn users if they download a malicious browser extension
To battle cybercrime, Google has begun testing a new Safety Check feature built into its Chrome browser that warns users if an installed extension has been removed from the Chrome Web Store, typically meaning it contains malware. With the feature enabled, an option under the “Privacy and security” settings brings users to a page where they can review any installed extensions removed from the store. If they have been flagged as malware, the user can manually remove the extension. The feature will go live in Chrome 117. Read more.
Android malware apps using APK compression to remain under the radar
Researchers at Zimperium have discovered that threat actors are using Android Package (APK) files with various unknown or unsupported compression methods to prevent detection from anti-malware analysis, “a technique that limits the possibility of decompiling the application for a large number of tools, reducing the possibilities of being analyzed.” It has been found that APKs using unsupported compression cannot be installed on devices running any Android version below 9, leaving devices running versions later than this vulnerable. More than 3,000 apps were discovered, none available in the Play Store, “indicating that the apps were distributed through other means, typically via untrusted app stores or social engineering to trick the victims into sideloading them.” Read more.
More cybersecurity news
- Last week’s news
- All cybersecurity news and articles are brought to you by NetworkTigers.