SAN MATEO, CA, July 24, 2023 — Cybersecurity news weekly roundup. Stories, news, politics, and events that impacted the network security industry last week. Brought to you by NetworkTigers.
- CISA reports infrastructure breach due to Citrix RCE bug
- P2PInfect worm targeting Redis servers
- New Android spyware found on server belonging to APT41
- Google-owned VirusTotal exposes data of high-profile users
- Ransomware impersonating Sophos cybersecurity firm
- Hackers actively using critical WordPress payment plugin flaw to impersonate admins
- Attacker may have had access to JumpCloud customer data for two weeks
- Zimbra zero-day flaw exploited in the wild requires manual update
- Instances of malicious USB drives laced with malware increasing
CISA reports infrastructure breach due to Citrix RCE bug
A critical infrastructure organization in the US has been breached due to threat actors exploiting a zero-day RCE vulnerability in Citrix’s NetScaler ADC and Gateway, CISA reports. The attack is said to have happened in June. In an advisory, “CISA warns that hackers leveraged the unauthenticated remote code execution (RCE) flaw to plant a webshell on the target’s non-production NetScaler Application Delivery Controller (ADC) appliance.” The number of NetScaler ADC and Gateway servers vulnerable to this attack is believed to be around 15,000. CISA has issued a set of commands that organizations can use to see if the bug has compromised them. Read more.
P2PInfect worm targeting Redis servers
Palo Alto Networks Unit 42 researchers have discovered a new cloud targeting P2P worm called P2PInfect. Targeting Redis servers running on Windows or Linux, the worm is reportedly “more scalable and potent than other worms.” Researchers estimate that as many as 934 Redis systems could be susceptible to P2PInfect. “A notable characteristic of the worm is its ability to infect vulnerable Redis instances by exploiting a critical Lua sandbox escape vulnerability, CVE-2022-0543 (CVSS score: 10.0).” P2PInfect establishes and maintains persistent access to a compromised host via a PowerShell script. Read more.
New Android spyware found on server belonging to APT41
APT41, a Chinese state-backed hacking group, targets Android users with WyrmSpy and DragonEgg spyware. Recently discovered by security researchers at Lookout, the two malware types “come with extensive data collection and exfiltration capabilities activated on compromised Android devices after deploying secondary payloads.” WyrmSpy disguises itself as a default operating system app, and DragonEgg poses as a third-party keyboard or messaging app. Researchers have not found instances of the spyware being deployed in the wild, having found the malware on a server belonging to the hacker group. Read more.
Google-owned VirusTotal exposes data of high-profile users
VirusTotal, a Google-owned platform used to scan files for malicious content, has experienced a data leak that affected over 5,000 users, some of whom work in government intelligence agencies. The leaked info includes “names and email addresses of employees from various backgrounds, including those from US and German intelligence agencies; official bodies of the Netherlands, Taiwan, and Great Britain; and large, well-known German companies, such as BMW and Mercedes Benz, among others.” The leak is said to have been the result of the “unintentional distribution of a small segment of customer group administrator emails and organization names” by a VirusTotal employee. Read more.
Ransomware impersonating Sophos cybersecurity firm
According to findings from MalwareHunterTeam, a new ransomware-as-a-service outfit is impersonating cybersecurity firm Sophos by operating under the name SophosEncrypt. At first, believed to be part of an exercise connected to the company, Sophos has denied making the encryptor and are investigating it. Indications show that the ransomware is being actively deployed, and upon infection, it changes a victim’s desktop wallpaper into a message that bears the Sophos logo. Read more.
Hackers actively using critical WordPress payment plugin flaw to impersonate admins
WooCommerce Payments, a widely used WordPress plugin that allows for credit card purchases, is being exploited by hackers to take control of targeted sites. Researchers at RCE Security say that “attackers can simply add an ‘X-WCPAY-PLATFORM-CHECKOUT-USER‘ request header and set it to the user ID of the account they wish to impersonate. When WooCommerce Payments sees this header, it will treat the request as if it was from the specified user ID, including all of the user’s privileges.” WooCommerce is said to have more than 600,000 active installations. Site admins are urged to update their plugins immediately. Read more.
Attacker may have had access to JumpCloud customer data for two weeks
JumpCloud, a multidirectory management, identity and access management, and multifactor authentication provider reported that a spear phishing attack “allowed an unnamed nation-state sponsored threat actor to intrude JumpCloud’s systems and target specific customers last month.” The breach was detected on June 27th, and the time between the intrusion and the notification of customer impact indicates that the adversary may have had access to JumpCloud’s system for around two weeks. JumpCloud’s services are used by over 180,000 organizations in 160 countries. Read more.
Zimbra zero-day flaw exploited in the wild requires manual update
Zimbra has reported a “security vulnerability in Zimbra Collaboration Suite Version 8.8.15 that could potentially impact the confidentiality and integrity of your data has surfaced.” The flaw is being actively exploited, meaning an update is urgently recommended. The company has issued a fix for the exploit, which can only be applied manually. Cybercriminals regularly target Zimbra’s products. Notably, North Korean state actors were found to have been using a previous zero-day exploit to spy on medical and energy sector organizations. Read more.
Instances of malicious USB drives laced with malware increasing
According to research from Mandiant, attacks that use an infected USB drive as an initial access vector have tripled in frequency since the start of 2023. The security firm reports that SOGU and SNOWYDRIVE campaigns, the former of which is the “most prevalent USB-based cyber espionage attack using USB flash drives and one of the most aggressive cyber espionage campaigns,” target public and private sector organizations. The campaigns have been traced to a China-based cluster, and organizations are urged to implement policies restricting external storage drives on their devices and networks. Read more.