SAN MATEO, CA, March 13, 2023 — Cybersecurity news weekly roundup. Stories, news, politics, and events that impacted the network security industry last week. Brought to you by NetworkTigers.
- Hackers hitting SonicWall SMA devices with TinyShell backdoor malware
- Data belonging to 9 million AT&T customers exposed in hack of third-party vendor
- US House of Representatives member data for sale on dark web following breach of healthcare administrator
- Fortinet issues patches for 15 security bugs, one of which can allow remote accessDual-pronged
- Dual-pronged “Hiatus” cyber espionage campaign targeting DrayTek routers servicing medium-sized businesses
- CISA adds three new flaws to its Known Exploited Vulnerabilities catalog
- Hackers using Windows Mock Folders UAC bypass to distribute Remcos RAT
- LastPass hack was possible due to vulnerability in engineer’s software unpatched for 3 years
- Play ransomware group attacks City of Oakland, begins leaking data
- Researchers find flaw in quantum-resistant algorithm chosen by US government
Hackers hitting SonicWall SMA devices with TinyShell backdoor malware
A hacking campaign believed to be tied to China has been observed attacking unpatched SonicWall Secure Mobile Access 100 devices with malware. The malware, “a collection of bash scripts and a single ELF binary identified as a TinyShell backdoor,” is designed to give an attacker access to SonicWall devices so that they may “steal user credentials, provide shell access, and persist through firmware upgrades,” according to a statement from security firm Mandiant. How the malware is delivered is currently not confirmed, although researchers suspect that attackers have been taking advantage of known security flaws to do so. Read more.
Data belonging to 9 million AT&T customers exposed in hack of third-party vendor
The hack of a third-party marketing vendor in January exposed data belonging to around 9 million AT&T customers, according to a statement by the company. The breach has exposed customer names, wireless account numbers, wireless phone numbers, and email addresses, but AT&T has said that no Social Security numbers, passwords, or payment information was leaked. The name of the compromised vendor has not been released and AT&T has notified law enforcement of the incident. Read more.
US House of Representatives member data for sale on dark web following breach of healthcare administrator
The FBI is currently investigating the breach of DC Health Link, the organization that members of the US House of Representatives use for healthcare plans. In an email to those impacted, Catherine L. Szpindor, the U.S. House Chief Administrative Officer, said that thousands of enrollees may have had their Personal Identifiable Information (PII) exposed. The data is up for sale on the dark web with the broker, under the name IntelBroker, claiming to have already sold it. A sample of the data shows that the breach has affected 170,000 individuals, exposing their names, addresses, Social Security numbers, phone numbers and more. Read more.
Fortinet issues patches for 15 security bugs, one of which can allow remote access
Fixes for 15 security vulnerabilities have been released by Fortinet, with one in particular addressing a critical bug that could give an attacker remote access. Fortinet has described the flaw as “a buffer underwrite (‘buffer underflow’) vulnerability” in the FortiOS and FortiProxy administrative interface. The bug can also be exploited to cause weaponized memory corruption. The flaw has not been witnessed in the wild but Fortinet users are encouraged to update immediately to secure their systems. Read more.
A dual-pronged “Hiatus” cyber espionage campaign is targeting DrayTek routers servicing medium-sized businesses
A campaign has been discovered in which threat actors are infecting DrayTek routers with malware to both steal data and “co-opt routers to become part of a covert command-and-control (C2) infrastructure for mounting hard-to-trace proxy campaigns.” The hackers are using two binaries to achieve this task: tcpdump, a utility that “monitors router traffic on ports associated with email and file-transfer communications on the victim’s adjacent LAN” and HiatusRAT, which can allow remote control over the infected router. Researchers believe that, based on the amount of data collected, the campaign is being spearheaded by a state-backed actor. Read more.
CISA adds three new flaws to its Known Exploited Vulnerabilities catalog
CISA’s Known Exploited Vulnerabilities Catalog (KEV) has been updated with three new flaws that can disrupt IT management systems. CVE-2022-35914 (CVSS score: 9.8) is a Teclib GLPI Remote Code Execution Vulnerability. CVE-2022-33891 (CVSS score: 8.8) is an Apache Spark Command Injection Vulnerability. CVE-2022-28810 (CVSS score: 6.8) is a Zoho ManageEngine ADSelfService Plus Remote Code Execution Vulnerability. The first is the most severe of the three, all of which have been observed being exploited in the wild. Read more.
Hackers using Windows Mock Folders UAC bypass to distribute Remcos RAT
A new phishing campaign sees threat actors dropping Remcos RAT malware using an old Windows User Account Control that is still effective today. The campaign involves sending victims a fake invoice with a DBatLoader executable file hiding in a tar.lz archive. The unusual file choice is thought to help the attack escape detection. “Before loading Remcos RAT, DBatLoader creates and executes a Windows batch script to abuse a Windows UAC bypassing method documented in 2020.” Read more.
LastPass hack was possible due to vulnerability in engineer’s software unpatched for 3 years
As more information regarding the major hack of LastPass comes to light, it’s been reported that attackers were able to compromise a company engineer’s home computer due to a three-year-old, now-patched flaw within Plex. The vulnerability “allows a remote, authenticated attacker to execute arbitrary Python code in the context of the current operating system user.” The flaw exists in a version of Plex that is “75 versions ago,” according to the developer. The incident highlights the domino effect that neglecting software updates can have on security. Read more.
Play ransomware group attacks City of Oakland, begins leaking data
California’s City of Oakland is reeling from a ransomware attack last month that saw attackers access multiple government networks. The threat actors, associated with the Play ransomware gang, have begun releasing stolen information, which implies that city officials did not turn over a ransom payment. The attack has resulted in disruptions that include non-emergency systems, phone lines and permit applications being taken offline. It is currently unclear what data was stolen in the breach, but it is expected to contain personal information about city employees. Read more.
Researchers find flaw in quantum-resistant algorithm chosen by US government
Experts have discovered a flaw in CRYSTALS-Kyber, a quantum-resistant encryption algorithm chosen by the US National Institute of Standards and Technology (NIST) for future security applications in the face of the exponential growth of computing power. The CRYSTALS-Kyber vulnerability can be exploited via specific “side-channel attacks on up to the fifth-order masked implementations of CRYSTALS-Kyber in ARM Cortex-M4 CPU,” according to a paper released by Elena Dubrova, Kalle Ngo, and Joel Gärtner of KTH Royal Institute of Technology. In response to the findings, NIST’s Dustin Moody said “there exist papers that attack pretty much every cryptographic algorithm using side channels. Countermeasures are developed, and many attacks aren’t realistic or practical in real-world scenarios.” Read more.