SAN MATEO, CA, January 23, 2023 — Cybersecurity news weekly roundup. Stories, news, politics, and events that impacted the network security industry last week. Brought to you by NetworkTigers.
- Remote code execution exploit discovered in Microsoft Azure
- T-Mobile hacked again, 37 million accounts breached
- Mailchimp hacked via social engineering attack
- New Hook malware sets its sight on Android users
- Nissan: customer data exposed by third-party supplier
- Netcomm and TP-Link routers harboring security vulnerabilities
- Russian hackers observed testing ChatGPT’s restrictions with malicious intent
- GitHub Codespaces can be abused to deliver malware
- Network of fake, cracked software used to spread Raccoon and Vidar stealers
- Norton LifeLock breached, exposing customer password managers
Remote code execution exploit discovered in Microsoft Azure
A remote code execution vulnerability could allow a threat actor to deploy malicious ZIP files to a target’s Azure application, allowing them to take control of it. Successful execution of the hack, which has been dubbed EmojiDeploy, could also allow hackers to steal data or move laterally within the Azure environment. Upon being notified of the exploit, Microsoft has since patched the vulnerability with an update. Read more.
T-Mobile hacked again, 37 million accounts breached
Just as T-Mobile rounds out the last phase of a settlement from a 2021 data breach, it has reported that a threat actor has had access to data associated with 37 million of the mobile carrier’s customers since November of 2022 after taking advantage of one of its “application programming interfaces.” The information available to the hackers includes “names, billing addresses, email addresses, phone numbers and birth dates of its customers, their T-Mobile account numbers, and information on which plan features they have with the carrier and the number of lines on their accounts.” T-Mobile is downplaying the breach, saying that no passwords, Social Security numbers or payment data were accessible and that any data leaked was already publicly available. Read more.
Mailchimp hacked via social engineering attack
Mailchimp has reported that customer data has been exposed in a social engineering attack that targeted employees and contractors. The attack described seems almost identical to a hack against the company in August of last year, after which Mailchimp put “an additional set of enhanced security measures.” While those measures were not described, it would appear as though they were ineffective in preventing a threat actor from employing the same techniques as before to breach the company’s security and access customer support and account administrator tools. Read more.
New Hook malware sets its sights on Android users
DukeEngine, the hacker developer responsible for creating the ERMAC and BlackRock banking trojans has released another malware called Hook. Hook has new features that let attackers access device files and “create a remote interactive session” to use the device’s screen. The malware, which also has RAT capabilities and device tracking, can be rented for $7,000 a month and is sure to cause headaches among Android users as it gains traction in the wild. Read more.
Nissan: customer data exposed by third-party supplier
Nissan North America has disclosed that data associated with almost 18,000 customers was leaked by a supplier and may have been accessed by an unauthorized third party. Nissan reports that the data was given to a supplier to conduct a software test and that some of the data used was mistakenly exposed. The information in the breach includes customer birth dates, names and numbers associated with vehicle financing. While the data exposed is not critical, Nissan warns that it could be used to stage phishing attacks. Read more.
Netcomm and TP-Link routers harboring security vulnerabilities
Two security exploits have been discovered in Netcomm and TP-Link routers that can be used to achieve remote code execution. Netcomm router models NF20MESH, NF20 and NL1902 running software versions earlier than R6B035 are vulnerable to flaws CVE-2022-4873 and CVE-2022-4874, which can be chained together to allow an attacker to run remote code. TP-Link routers WR710N-V1-151022 and Archer-C5-V2-160201 are vulnerable to flaws CVE-2022-4499 and CVE-2022-4498, which can lead to remote code execution and information disclosure. Read more.
Russian hackers observed testing ChatGPT’s restrictions with malicious intent
Check Point Research has observed Russian hackers trying to bypass or circumvent AI bot ChatGPT’s restrictions to use the tech for malicious activity. From using stolen credit cards to pay for limitless access to bypassing the geo-restrictions of the tool, the dark web is abuzz with threat actors poking and prodding for ways to weaponize the technology against their victim. Check Point has already observed hackers using ChatGPT to create infostealers, encryption tools and other instances of malicious code. Read more.
GitHub Codespaces can be abused to deliver malware
GitHub Cloudspaces, “a cloud-based configurable development environment that allows users to debug, maintain, and commit changes to a given codebase from a web browser or via an integration in Visual Studio Code,” has been found to contain an exploit that lets a threat actor create a malicious file server. Cybersecurity firm Trend Micro, in a proof-of-concept demonstration, showed how an attacker could be able to create a codespace, download malware from a domain that they or another threat actor controls to the environment and then set the visibility of the forwarded port to public, thereby making the application act as a web server hosting malicious content. The exploit has yet to be observed in the wild. Read more.
Network of fake, cracked software used to spread Raccoon and Vidar stealers
A network of more than 250 domains that purportedly offer cracked versions of popular software is being used to infect users with Raccoon and Vidar information stealers, according to findings from French cybersecurity firm SEKOIA. The domains, which ultimately lead victims to download malicious files from GitHub, appear to be operated by a threat actor that rents them out to purveyors of malware. An alternate means of attack sees victims linked to the domains via phishing emails that masquerade as having been sent from banking institutions. Read more.
Norton LifeLock breached, exposing customer password managers
Norton LifeLock has released a data breach notice alerting customers to a breach in which user password managers were exposed. According to the company, the breach was likely the result of a credential-stuffing campaign as opposed to a compromise of their systems. Gen Digital, Norton LifeLock’s parent company, has sent the notice to around 6,450 users affected by the breach. According to Gen Digital, account breaches occurred as long ago as December 1st, 2022. Read more.