SAN MATEO, CA, July 3, 2023 — Cybersecurity news weekly roundup. Stories, news, politics, and events that impacted the network security industry last week. Brought to you by NetworkTigers.
- AI voice cloning tools are a potent new scamming threat
- Hackers are hijacking SSH servers to create bandwidth-stealing proxy network
- Social Login WordPress plugin has severe account-exposing flaw
- Akira ransomware group targeting VMware ESXi servers with Linux version
- Number of victims affected by MOVEit hack reaches 121
- Fortinet releases update to address FortiNAC vulnerability
- Newly devised Mockingjay injection process can slip past EDR
- Volt Typhoon hackers using novel techniques to remain embedded in critical infrastructure
- Super Mario fan game spreading malware
AI voice cloning tools are a potent new scamming threat
An incident earlier this year in which cybercriminals attempted to extort a woman by cloning her daughter’s voice and claiming to have kidnapped her is a visceral reminder of the dangers posed by the wealth of new AI tools that scammers have at their disposal. The prevalence of these tools and the ease with which they can be weaponized has prompted the FBI to issue warnings that caution people against posting content online that could be used against them. The use of SIM-jacking in the case of a kidnapping scheme could also make the supposed victim unreachable, further lending legitimacy to the threats. Read more.
Hackers are hijacking SSH servers to create bandwidth-stealing proxy network
Researchers at Akamai have identified a new financially motivated campaign in which threat actors are ensnaring vulnerable SSH servers to build a proxy network. The campaign sees attackers “leveraging SSH for remote access, running malicious scripts that stealthily enlist victim servers into a peer-to-peer (P2P) proxy network, such as Peer2Profit or Honeygain.” Such proxyjacking “enables the attacker to monetize the extra bandwidth with a significantly reduced resource load necessary to carry out crypto-jacking; it also reduces the chances of discovery.” Read more.
Social Login WordPress plugin has severe, account-exposing flaw
miniOrange’s Social Login and Register plugin for WordPress has been found to have a critical flaw that could allow a threat actor to log in as any user so long as they know their associated email address. CVE-2023-2982 affects all plugin versions and has a CVSS score of 9.8. According to Wordfence researchers, exploiting this bug “makes it possible for an unauthenticated attacker to gain access to any account on a site, including accounts used to administer the site if the attacker knows or can find the associated email address.” The plugin is used on over 30,000 websites, putting many users at risk from an easily executed hack. Read more.
Akira ransomware group targeting VMware ESXi servers with Linux version
The Akira ransomware group, first identified targeting Windows systems in March of 2023, has been discovered to have created a Linux version of their malware designed to target VMware ESXi servers. Unlike many other Linux-based variants, Akira’s ransomware does not contain advanced abilities such as the “automatic shutting down of virtual machines before encrypting files using the esxcli command.” Adding Linux support has become popular among ransomware outfits looking to expand their victim base. While new, Akira appears to be proliferating and has already attacked several enterprise targets in double extortion schemes. Read more.
Number of victims affected by MOVEit hack reaches 121
The Clop ransomware gang’s hack of MOVEit continues to plague organizations across all sectors, as the total number of confirmed victims has now reached 121. Those affected include Sony, energy giant Shell, several major accounting firms, and educational facilities and school districts across the US, including the University of California and the New York City Department of Education. Infrastructure organizations affected include electricity providers all over the world, such as Siemens Energy and Schneider Electric. Biopharmaceutical company Abbvie Inc has also been affected. Read more.
Fortinet releases update to address FortiNAC vulnerability
Fortinet has issued an update to patch a critical vulnerability in the company’s FortiNAC network access control solution. The flaw, CVE-2023-33299, is a “deserialization of untrusted data vulnerability in FortiNAC {that} may allow an unauthenticated user to execute unauthorized code or commands via specifically crafted requests to the tcp/1050 service.” The bug exists in a number of FortiNAC products and has a 9.6 out of 10 severity rating. Read more.
Newly devised Mockingjay injection process can slip past EDR
Security Joes’ researchers have discovered a new injection method that “utilizes legitimate DLLs with RWX (read, write, execute) sections for evading EDR hooks and injecting code into remote processes.” Calling the technique “Mockingjay,” researchers say that not using commonly abused Windows API calls, setting special permissions, performing memory allocation, or even starting a thread prevents a number of instances in which it could be detected. Security Joes’ development of Mockingjay signifies the importance of relying on multiple means of threat detection instead of putting all your security eggs in one basket. Read more.
Volt Typhoon hackers using novel techniques to remain embedded in critical infrastructure
Volt Typhoon, a newly discovered state-sponsored Chinese threat actor, has been observed using “never-before-seen tradecraft to retain remote access to targets of interest.” Discovered by researchers at CrowdStrike, Volt Typhoon was seen to have “consistently employed ManageEngine Self-service Plus exploits to gain initial access, followed by custom web shells for persistent access, and living-off-the-land (LotL) techniques for lateral movement.” The group targets critical infrastructure and has engaged in cyber espionage campaigns against the US government and defense agencies. Read more.
Super Mario fan game spreading malware
Super Mario 3: Mario Forever, a fan game developed in 2003 that continued to receive developer updates for the next decade, has been found to have been laced with Windows malware by threat actors. Researchers at Cyble discovered that this particular version of the game “contains three executables, one that installs the legitimate Mario game (“super-mario-forever-v702e.exe”) and two others, “java.exe” and “atom.exe,” that are discreetly installed onto the victim’s AppData directory during the game’s installation.” Anyone who has recently downloaded the game should scan for malware. Read more.
More cybersecurity news
- Last week’s news
- All cybersecurity news and articles are brought to you by NetworkTigers.