SAN MATEO, CA, June 26, 2023 — Cybersecurity news weekly roundup. Stories, news, politics, and events that impacted the network security industry last week. Brought to you by NetworkTigers.
- Simple bug lets attackers deliver malware from external Microsoft Teams account
- Apple releases emergency update to battle iOS spyware campaign
- Popular WooCommerce WordPress plugin harbors a critical flaw
- Threat actors are exploiting VMWare’s Aria Operations Networks in the wild
- New Condi botnet exploits TP-Link AX21 routers, purges competing threat actors’ code
- More than 100,000 ChatGPT account credentials taken via info-stealing malware
- Researchers uncover toolkit targeting macOS
- BlackCat ransomware gang claims to have hacked Reddit
- Outlook and Azure outages were the result of a DDoS attack
Simple bug lets attackers deliver malware from external Microsoft Teams account
Security researchers at Jumpsec have discovered a simple way to infect an organization with malware from an external source in Microsoft Teams. The attack requires Teams to run the default configuration so that communication with accounts outside the company is permitted. Although the platform has barriers in place that prevent an external account from delivering files, it was found that the restriction could be sidestepped by “changing the internal and external recipient ID in the POST request of a message, thus fooling the system into treating an external user as an internal one.” Jumpsec has contacted Microsoft regarding the bug, but the company has not addressed it. Read more.
Apple releases emergency update to battle iOS spyware campaign
Apple has issued an update to address a pair of zero-day bugs within iOS that threat actors have been exploiting to inject targets with spyware in a campaign known as “Operation Triangulation.” The TraingleDB malware deployed in the campaign displays curious features, described by Kaspersky to have the ability “to read any file on the infected device, extract passwords from the victim’s keychain and track the device geolocation.” TriangleDB reportedly has features that can be engaged later and requests permission from the OS to access components, such as the microphone and address book, that don’t have apparent uses. This implies that the malware may engage them after implementing auxiliary modules. Discovered by Kaspersky on a number of the company team’s devices, the Russian government has accused the US and Apple of deploying it to gather intel. Read more.
Popular WooCommerce WordPress plugin harbors a critical flaw
Abandoned Cart Lite for WooCommerce, a WordPress plugin used by more than 30,000 websites, has been found to harbor a critical flaw. Defiant’s Wordfence issued a statement about the bug, warning that the flaw “makes it possible for an attacker to gain access to the accounts of users who have abandoned their carts, who are typically customers but can extend to other high-level users when the right conditions are met.” The vulnerability tracked as CVE-2023-2986 has been rated 9.8 out of 10 for severity and impacts every version of the plugin up to and including version 5.14.2. Read more.
Threat actors are exploiting VMWare’s Aria Operations Networks in the wild
According to a warning posted by VMWare, a recently patched critical command injection vulnerability in Aria Operations for Networks is under attack. CVE-2023-20887 is a bug that could allow a threat actor to “perform a command injections attack, resulting in remote code execution.” To achieve this, the attacker needs first to have network access. The flaw has reportedly been “weaponized” and reported in the wild, although attack details remain scant. VMWare strongly encourages users of Aria Operations Networks to install the latest updates immediately to prevent falling victim. Read more.
New Condi botnet exploits TP-Link AX21 routers, purges competing threat actors’ code
Condi malware is a new DDoS-as-a-Service botnet discovered in May of 2023 that exploits popular TP-LinkArcher AX21 (AX1800) routers to amass a botnet. Unusually, the threat actors responsible for Condi also sell the malware’s source code, leading to a range of variants, offshoots, and “numerous project forks with different features.” The TP-Link AX21 routers are compromised using a “high-severity unauthenticated command injection and remote code execution flaw in the API of the router’s web management interface,” reported by researchers at ZDI in January. Condi is the second of two DDoS botnets to zero in on this bug, and the malware contains code that “attempts to kill any processes belonging to known competitor botnets.” Read more.
More than 100,000 ChatGPT account credentials taken via info-stealing malware
Cyber intelligence firm Group-IB had reportedly identified over 100 thousand info-stealer logs across the web containing ChatGPT accounts, “with the peak observed in May 2023, when threat actors posted 26,800 new ChatGPT credential pairs.” This threatens organizations whose employees may post proprietary or sensitive code into the platform. The AI chatbot logs users’ inputs, making it easy for an attacker to see what someone has asked ChatGPT if they are able to access their account. Users are encouraged to delete past conversations from the tool to prevent a compromised account from revealing private data. Read more.
Researchers uncover toolkit targeting macOS
Bitdefender researchers have discovered malicious artifacts they believed to be part of a toolkit developed for attacking macOS systems. Two of the three malicious programs, collectively referred to as “JokerSpy,” are “said to be generic “Python-based backdoors that are designed to target Windows, Linux, and macOS systems.” Researchers also found a backdoor with an “extensive set of capabilities to gather system metadata, enumerate files, delete files, execute commands and files, and exfiltrate encoded data in batches.” Read more.
BlackCat ransomware gang claims to have hacked Reddit
Amid Reddit’s current headache regarding changes to their API and the resulting outcry from users in response to CEO Steve Huffman, the BlackCat ransomware gang has come forward saying that they stole 80 gigs worth of confidential information from the platform in February. The group claims to have reached out to Reddit on two instances to extort them, but received no response. BlackCat is now threatening to release the stolen data, which they claim shows evidence of censoring users, unless Reddit pays up and reverses their recent API changes. Read more.
Outlook and Azure outages were the result of a DDoS attack
According to a statement from Microsoft, a Layer 7 DDoS attack is to blame for outages affecting users of Outlook, Azure, and OneDrive web portals. The company is implicated by a threat group called “Anonymous Sudan” as responsible for the attack. Anonymous Sudan has pledged to carry out attacks against any nation that opposes Sudan. It has “targeted organizations and government agencies worldwide, taking them down in DDoS attacks or leaking stolen data.” However, several researchers feel Russian state actors conduct this as false flag operations. Read more.