SAN MATEO, CA, January 22, 2024 — Cybersecurity news weekly roundup. Stories, news, politics, and events that impacted the network security industry last week. Brought to you by NetworkTigers.
SolarWinds hackers accessed email accounts of senior Microsoft leaders
Russian threat actor group Nobelium, infamous for being behind the high-impact hack of SolarWinds, has accessed email accounts belonging to senior leaders at Microsoft, the company reports. Starting in November of 2023, the hackers were able to breach Microsoft using password spraying techniques and, according to an official blog post, were able to get into “a very small percentage of Microsoft corporate email accounts.” The activity has not affected customer data, and it appears the hackers were probing for information Microsoft may have had on them instead of setting the stage for a ransomware attack or other disruption. Some emails and documents were exfiltrated in the breach, although Microsoft has not yet provided details regarding what has been stolen. Read more.
VMware warns of patched vCenter flaw now being exploited in the wild
VMware has reported that a critical vCenter Server vulnerability that could allow remote code execution is under attack. The bug, fixed in an October patch, “is caused by an out-of-bounds write weakness in vCenter’s DCE/RPC protocol implementation.” Exploitation is reported to be relatively easy, with threat actors able to “exploit it remotely in low-complexity attacks with high confidentiality, integrity, and availability impact that don’t require authentication or user interaction.” Over 2,000 unpatched VMware Center servers are said to be exposed online, and the company is encouraging admins to apply “strict network perimeter access control” to instances in which the affected system cannot be patched. Read more.
Stealthy macOS backdoor found hidden within pirated software
Researchers at Jamf Threat Labs have discovered that threat actors are sneaking a backdoor into popular pirated software to target macOS users. The backdoor is “built atop an open-source post-exploitation toolkit called Khepri” and could grant hackers remote control of infected devices. Hidden on Chinese pirating websites, “the malware will download and execute multiple payloads in the background to secretly compromise the victim’s machine” after it has been downloaded. Due to its similarities with ZuRu malware, Jamf researchers feel this new backdoor may be a successor. Read more.
OpenAI reveals strategies it will implement to combat election misinformation
ChatGPT and DALL-E developer OpenAI has revealed that it has collaborative plans with the National Association of Secretaries of State (NSS) to help combat the spread of misinformation about 2024 elections. For example, ChatGPT will provide users with a link to CanIVote.org instead of generating its responses when asked questions related to voting and the election. To help prevent the use of deepfakes, OpenAI is also planning on implementing the Coalition for Content Provenance and Authenticity’s (C2PA) digital credentials, which will help identify images made by DALL-E. Read more.
COLDRIVER threat actor group develops custom SPICA malware
Russia-linked hacking collective COLDRIVER, known chiefly for credential harvesting campaigns, has developed its custom malware written in the Rust programming language according to research from Google’s Threat Analysis Group (TAG). The malware, a backdoor called SPICA, grants COLDRIVER access to a targeted machine while displaying a decoy document to keep victims from realizing they have been infected. “Once executed, SPICA decodes an embedded PDF, writes it to disk, and opens it as a decoy for the user,” says TAG. “In the background, it establishes persistence and starts the main C2 loop, waiting for commands to execute.” COLDRIVER is spreading SPICA via decoy PDFs sent from impersonation accounts and targeting users known to be in international affairs. Read more.
iPhone spyware variants can be easily exposed using new iShutdown method
Security researchers at Kaspersky have reported that iPhone users can take advantage of a “lightweight method” called iShutdown to reveal signs of Apple spyware such as Pegasus, QuaDream’s Reign, and Intellexa’s Predator. According to Kaspersky, these infections result in traces in a file called “Shutdown.log,” a text-based system log file that records reboot activity. The log file is reportedly easier to access and less “time-consuming” than forensic device imaging or an iOS backup. The research also revealed “a similar filesystem path used by all three spyware families – /private/var/db/” for Pegasus and Reign, and /private/var/tmp/ for Predator – thereby acting as an indicator of compromise.” Read more.
FBI warns of credential stealing Androxgh0st malware botnet
The FBI and CISA have warned about hackers building a botnet that targets AWS, Microsoft Office 365, and other popular cloud credentials using Androxgh0st malware. The hackers then use the stolen data to inject victims with further malicious software. The agencies describe Androxgh0st as “a Python-scripted malware primarily used to target .env files that contain confidential information, such as credentials for various high profile applications (i.e., Amazon Web Services [AWS], Microsoft Office 365, SendGrid, and Twilio from the Laravel web application framework).” The botnet described was discovered in 2022 and, at that time, had more than 40,000 devices under its control. The agencies recommend that all administrators study and adhere to their recommended mitigation measures. Read more.
Ivanti Connect Secure appliances under active worldwide exploitation
Ivanti’s Connect Secure VPN and Police Secure network access control appliances are under attack from hackers exploiting a pair of zero-day flaws to backdoor targeted systems with a GIFTEDVISITOR web shell variant, reports security firm Volexity. The targeted organizations run the gamut with regard to size and sector, with Volexity stating that “over 1,700 ICS VPN appliances” were compromised and that they “appear to have been indiscriminately targeted, with victims all over the world.” Ivanti has not made patches available to customers but has suggested mitigation measures. Over 16,800 ICS VPN appliances are reported to be exposed to the threat, with 5,000 of them within the United States. Read more.
94% of firms subjected to phishing attacks in 2023
Egress’ Email Security Risk Report 2024 indicates that 94% of corporate cybersecurity decision-makers were forced to address a phishing attack in the last year. Up 2% from the previous report, the data should be no surprise to anyone with an email inbox. Egress says that the top three most prevalent phishing techniques used in 2023 were malicious links, malware attachments, and attacks launched from accounts that had already been compromised. The report also indicates that phishing threat actors have become more effective, with the percentage of victimized organizations suffering adverse effects from an attack increasing from 86% to 96%. AI tools, such as deepfakes and language models, are of grave concern to cybersecurity admins, with 63% of respondents saying they are “kept up at night” over their implications. Read more.
Flaw in Opera web browser could let hackers run any file on targeted computer
Opera web browser has been found to harbor a serious bug that could allow a hacker to execute files on the operating system of machines running macOS or Windows. Named “MyFlaw” by Guardio Labs, the remote code execution vulnerability “is achieved through a controlled browser extension, effectively bypassing the browser’s sandbox and the entire browser process.” The issue lies within Opera’s My Flow feature, which allows users to exchange notes and files through a web interface that operates outside of Opera’s security boundaries. Guardio Labs researchers discovered a “long-forgotten” version of the My Flow landing page that contained major security flaws but still had the same “access to (very) high permission native browser API.” The issue has been resolved in a November, 2023 patch and all users are urged to update immediately. Read more.
Ukrainian hacker creates 1 million virtual servers for $2 million crypto scheme
A 29-year-old hacker in Ukraine has been arrested after using stolen accounts to create an astounding 1 million virtual servers, which he used to mine $2 million in cryptocurrency illegally. According to Europol, the hacker is believed to have been active since 2021 “when he used automated tools to brute force the passwords of 1,500 accounts of a subsidiary” of an unnamed e-commerce giant to gain administrative privileges and create his virtual computers. Ukrainian authorities report that the individual used TON crypto wallets to transfer his illegally acquired funds. Read more.
More cybersecurity news
- Last week’s news
- More cybersecurity news
- All articles brought to you by NetworkTigers
