SAN MATEO, CA, June 12, 2023 — Cybersecurity news weekly roundup. Stories, news, politics, and events that impacted the network security industry last week. Brought to you by NetworkTigers.
- Despite patches, Barracuda tells users to replace vulnerable ESG appliances immediately
- Cl0p ransomware gang hacks MOVEit file transfer platform
- Cisco and VMware release critical security updates
- More than 60K adware apps are masquerading as cracked Android apps
- Hacker group claims credit for Outlook.com outages
- Zyxel firewalls are under attack and require immediate patching
- SpinOK malware discovered in Android apps with 30 million installs
- Threat actors hijack legitimate sites to inject credit card-stealing code
- Hackers use picture-in-picture obfuscation to steal credentials
Despite patches, Barracuda tells users to replace vulnerable ESG appliances immediately
Although it has released several patches in response to exploitable bugs within its Email Security Gateway (ESG) appliances, Barracuda has seemingly waved the white flag and warned its customers that affected products should be replaced. The company has made this decision after observing that even devices that had been patched were not fully secure against infiltration. Researchers suspect that the threat actors spearheading the exploitation of Barracuda’s equipment have possibly been able to make changes deep within the appliances’ firmware. Experts suggest that users follow the company’s instructions, as their product abandonment speaks to the vulnerability’s critical nature. Read more.
Cl0p ransomware gang hacks MOVEit file transfer platform
The Cl0p ransomware gang has claimed credit for hacking MOVEit, a file-transferring platform used widely by many enterprise organizations, including the BBC, British Airways, and American universities, to share sensitive information. The gang was able to hack MOVEit by “exploiting a previously unknown SQL injection vulnerability in Progress Software’s managed file transfer (MFT) solution known as MOVEit Transfer,” according to CISA. Cl0p remains one of the most prolific ternate actor outfits, regularly setting their sites on supply chain platforms and exploiting zero-day flaws to access supposedly secure data. Researchers believe that Cl0p was likely working on this MOVEit exploit since as far back as 2021. Read more.
Cisco and VMware release critical security updates
Three security flaws in Aria Operations for Networks have been fixed, thanks to an update issued by VMware. The most severe flaw could have let a network-enabled threat actor achieve remote code execution. The second most critical patch addresses a deserialized vulnerability that, once again, could allow for remote code execution if exploited successfully. Cisco’s Expressway Series and TelePresence Video Communication Server also received an update to fix a bug that could let an attacker “elevate their privileges to Administrator with read-write credentials on an affected system” and a fix for another that “could permit an authenticated, local attacker to execute commands and modify system configuration parameters. Read more.
More than 60K adware apps are masquerading as cracked Android apps
Bitdefender has reported that a campaign involving thousands of adware apps posing as cracked versions of popular applications have targeted Android users since October 2022. “The campaign is designed to push adware to Android devices to drive revenue aggressively,” Bitdefender said. They also note that the malicious apps can easily “easily switch tactics to redirect users to other types of malware,” including credential stealers or spyware. Unlike many other campaigns of this nature, the apps are not available in the Google Play Store. Still, they are instead discovered via searches for popular platforms such as Netflix or YouTube. Bitdefender has discovered more than 60,000 apps carrying the adware. Read more.
Hacker group claims credit for Outlook.com outages
Outlook.com has experienced outages throughout the day resulting from an alleged DDoS attack at the hands of Anonymous Sudan, a hacker group “warning that they are performing DDoS attacks on Microsoft to protest the US getting involved in Sudanese internal affairs.” The group has been mocking Microsoft via their telegram channel with messaging such as “How about you pay us 1,000,000 USD, and we teach your cyber-security experts how to repel the attack, and we stop it from our end?” Microsoft has blamed the blackouts and sluggish performance on technical issues and has not made a statement regarding the possibility of a cyberattack. Read more.
Zyxel firewalls are under attack and require immediate patching
CISA has added two newly disclosed flaws present in Zyxel firewalls to its Known Exploited Vulnerabilities catalog after they have been observed being actively exploited in the wild. Both vulnerabilities are buffer overflows that threat actors could use to execute remote code or “cause a denial-of-service (DoS) condition.” Federal agencies must fix the issue by June 26th, and private sector users are strongly urged to do the same. Zyxel has also recommended that customers “disable HTTP/HTTPS services from WAN unless ‘absolutely’ required and disable UDP ports 500 and 4500 if not in use.” Read more.
SpinOK malware discovered in Android apps with 30 million installs
CloudSEK security researchers have discovered 93 apps in the Google Play store containing SpinOK malware. SpinOK masquerades as a legitimate mini-game but can perform intrusive tasks in the background, including uploading files and stealing login credentials. This latest batch of malicious apps has been installed on 30 million devices. However, researchers say that not every instance of SpinOK is thought to be in bad faith, noting that “the developers of these apps likely used the malicious SDK thinking it was an advertising library, unaware that it included malicious functionality.” Read more.
Threat actors hijack legitimate sites to inject credit card-stealing code
Researchers at Akami report that a new Magecart attack has been observed. A Magecart attack is “when hackers breach online stores to inject malicious scripts that steal customers’ credit cards and personal information during checkout.” To carry out the campaign, attackers first “identify vulnerable legitimate sites and hack them to host their malicious code, using them as C2 servers for their attacks.” They then “inject a small JavaScript snippet into the target commerce sites.” The campaign is stealthy, with some victims not realizing they had been breached for over a month. This methodology allows hackers to avoid setting up their own infrastructure and weaponizes legitimate websites against their users. Read more.
Hackers use picture-in-picture obfuscation to steal credentials
Avanan security researchers have discovered a campaign in which threat actors use high-quality advertising images from Delta or Kohl’s to send victims to malicious URLs to steal login credentials. The images, which tempt users with discounts and gift cards, are sent via email and can typically skirt by scanners as such filters cannot flag “picture-in-picture” threats. While this attack is not sophisticated, hackers reportedly turn to AI platforms such as ChatGPT to create phishing emails nearly identical to those sent for legitimate sources, making them more challenging to detect. Read more.
More cybersecurity news
- Last week’s news
- All cybersecurity news and articles are brought to you by NetworkTigers.