SAN MATEO, CA, June 19, 2023 — Cybersecurity news weekly roundup. Stories, news, politics, and events that impacted the network security industry last week. Brought to you by NetworkTigers.
- Clop ransomware gang begins push to extort victims of MOVEit hack
- VMware zero-day exploited by savvy Chinese state threat actors
- CISA releases in-depth joint security advisory regarding LockBit ransomware
- Threat actors are targeting cybersecurity researchers with fake zero-day PoC exploits
- DoubleFinger loader infects victims with crypto-stealing malware through PNG image
- Threat actors using BatCloak to make malware impossible to detect
- Huge phishing campaign using aged sites to avoid detection
- Hackers impersonate journalists to steal crypto from high-profile targets via Discord
- Fortinet issues critical firmware update for Fortigate SSL-VPN devices
Clop ransomware gang begins push to extort victims of MOVEit hack
The Clop ransomware group has updated its data leak website with the names of organizations it has impacted through its exploitation of MOVEit, signaling that it is raising the stakes before dumping stolen information online. Clop had warned that the names of organizations that refused to strike a deal would be added to their site and further threatened to begin leaking data on June 21st. CISA is reportedly working with federal agencies affected by the MOVEit hack. Clop has indicated that data belonging to “military, children’s hospitals, GOV, etc.” is not their target and claims to have deleted any stolen data belonging to them. Read more.
VMware zero-day exploited by savvy Chinese state threat actors
A state-sponsored Chinese threat group called UNC3886 has been observed exploiting a zero-day flaw in VMware ESXi hosts to backdoor Windows and Linux systems. According to Mandiant, the bug allows for “the execution of privileged commands across Windows, Linux, and PhotonOS (vCenter) guest VMs without authentication of guest credentials from a compromised ESXi host and no default logging on guest VMs.” UNC3886 is said to be vigilant, sophisticated, and adept at covering its tracks, posing challenges for researchers. “The group has access to extensive research and support for understanding the underlying technology of appliances being targeted,” Mandiant researchers said. Read more.
CISA releases in-depth joint security advisory regarding LockBit ransomware
CISA and around a dozen other international authorities have released an in-depth joint cybersecurity advisory regarding LockBit, the prolific Russia-based ransomware-as-a-service provider. The advisory covers how LockBit extorts its victims, a timeline of LockBit’s activities since the discovery, ransomware strains deployed, and more. Also described are remediation techniques and strategies organizations should employ to protect their data from LockBit and ransomware. Read more.
Threat actors are targeting cybersecurity researchers with fake zero-day PoC exploits
Security researchers at VulnCheck have discovered a campaign in which fake proof of concept zero-day exploits are uploaded to GitHub and promoted by a web of fraudulent social media accounts associated with “High Sierra Cyber Security,” an illegitimate company. The campaign is deep, with the GitHub repositories including the names and headshots of actual security researchers and threat actors maintaining Twitter accounts associated with these spoofed repositories to lend even further credence to their validity. Threat actors often target security experts searching for research they can use for their means or data associated with their victims’ clients. Read more.
DoubleFinger loader infects victims with crypto-stealing malware through PNG image
Researchers at Kaspersky have reported a malware campaign that sees threat actors stealing crypto from victims using a PNG image file that contains malicious code. The attack begins with a phishing email containing DoubleFinger, a multistage loader. When a victim clicks on “the associated malicious program information file (.pif)” within the email, it causes a sequence of events that result in “some malicious shellcode downloading a PNG image from imgur.com” that utilizes steganography to hide its code in seemingly harmless data. Finally, the victim is subjected to GreetingGhoul, an info stealer designed to seek out crypto wallets and steal their credentials. Read more.
Threat actors using BatCloak to make malware impossible to detect
According to research by Trend Micro, threat actors have been using a fully undetectable (FUD) malware obfuscation engine called BatCloak since 2022 to avoid antivirus flagging of their malicious software. BatCloak “forms the crux of an off-the-shelf batch file builder tool called Jlaive, which has capabilities to bypass Antimalware Scan Interface” and “compress and encrypt the primary payload to achieve heightened security evasion.” BatCloak was a free, open-source download until being taken down in September of 2022, but it has been cloned, upgraded, ported, and modified since. Read more.
Huge phishing campaign using aged sites to avoid detection
Researchers at Bolster have discovered a massive phishing campaign that utilized around 6,000 websites and 3,000 domains to trick victims into believing they were visiting legitimate brands, including Nike, Puma, Asics, Vans, Adidas, Columbia, Superdry Converse, Casio, Timberland, Salomon, Crocs, Sketchers, The North Face, UGG, Guess, Caterpillar, New Balance, Fila, Doc Martens, Reebok, Tommy Hilfiger, and more. The domains used in the campaign were found to have been aged anywhere from two years to 90 days. “Domain aging is a crucial factor in phishing operations, as the longer a domain stays alive but remains innocuous, the less likely it is to be flagged by security tools as suspicious.” The sites are believed to either not deliver the products people order or send them a Chinese knockoff. Read more.
Hackers impersonate journalists to steal crypto from high-profile targets via Discord
Threat actors employ social engineering techniques to hijack Discord and Twitter accounts to steal crypto. According to Scam Sniffer, the Pink Drainer hacking group has used social engineering tactics to steal almost $3 million from nearly 2,000 victims. To do so, the hackers claim to be journalists from crypto-centric media outlets such as Cointelegraph and Decrypto. After 1-3 days, the hackers send their victims a malicious link that steals their Discord token. High-profile campaign victims include the CTO of OpenAI, Mira Murati, Steve Aoki, Evmos, Pika Protocol, Orbiter Finance, LiFi, Flare Network, Cherry Network, and Starknet. Read more.
Fortinet issues critical firmware update for Fortigate SSL-VPN devices
Fortinet has released a new firmware update that fixes a “critical pre-authentication remote code execution vulnerability” in the company’s popular SSL VPN devices. While the bug itself has yet to be disclosed by Fortinet, security researchers predicted the patch’s release, with French cybersecurity firm Olympe Cyberdefense saying that, if exploited successfully, it would “allow a hostile agent to interfere via the VPN, even if the MFA is activated.” More than 250,000 vulnerable Fortinet firewalls are exposed online. Since the patch fixes a flaw in previous firmware versions, all users are encouraged to update immediately to prevent exploitation after Fortinet explains the bug. Read more.
More cybersecurity news
- Last week’s news
- All cybersecurity news and articles are brought to you by NetworkTigers.