SAN MATEO, CA, March 6, 2023 — Cybersecurity news weekly roundup. Stories, news, politics, and events that impacted the network security industry last week. Brought to you by NetworkTigers.
- CISA: beware of Royal ransomware, operated by former Conti gang members
- BlackLotus malware has been updated to bypass security patches
- “Decider” is a free tool created by CISA to help MITRE ATT&CK mapping
- CISA: ZK Java Framework RCE flaw being exploited by hackers
- An employee’s compromised home computer led to the LastPass hack
- US Marshalls Service hit with ransomware attack
- New EX-22 tool makes exfiltration a “cakewalk” for ransomware attackers
- New ChromeLoader malware campaign targets Nintendo Switch and Steam users
CISA: beware of Royal ransomware, operated by former Conti gang members
CISA has issued a warning regarding the capabilities of Royal ransomware. According to the agency, “after gaining access to victims’ networks, Royal actors disable antivirus software and exfiltrate large amounts of data before ultimately deploying the ransomware and encrypting the systems.” The operators of Royal are believed to be Conti Team One, an offshoot of the highly capable Conti Russian ransomware gang that was dismantled last year. Royal can infect Windows or Linux systems and attackers can choose what percentage of files to encrypt, lowering chances of detection. Read more.
BlackLotus malware has been updated to bypass security patches
The BlackLotus UEFI bootkit has been updated with Secure Boot bypass capabilities, meaning that even fully patched Windows 11 systems can be infected with the malware. BlackLotus emerged last year with features that make it undetectable by antivirus program and is remarkable for being the “first public example of UEFI malware that can avoid the Secure Boot mechanism, thus being able to disable security protections that come with the operating system.” Microsoft addressed the vulnerability to BlackLotus last summer, but their efforts have not been enough to close the security gap. Read more.
“Decider” is a free tool created by CISA to help MITRE ATT&CK mapping
“Decider” is an open-source tool released by CISA designed to assist security pros in generating reports via the MITRE ATT&CK framework. By adopting and standardizing this framework, organizations can more easily and effectively share findings related to cyberattacks and threat actor behavior. According to CISA, “Decider helps make mapping quick and accurate through guided questions, a powerful search and filter function, and a cart functionality that lets users export results to commonly used formats.” It can be downloaded from CISA’s GitHUB and the organization encourages users to submit feedback and feature suggestions for the software. Read more.
CISA: ZK Java Framework RCE flaw being exploited by hackers
CISA reports that it has added CVE-2022-36537 to its Known Exploited Vulnerabilities Catalog, as the remote code execution flaw within ZK Framework has been observed being exploited in the wild. The flaw allows threat actors to view and retrieve file contents “by sending a specially crafted POST request to the AuUploader component.” Federal agencies have until March 30th to apply the security updates needed to patch the vulnerability. According to the agency, “this type of vulnerability is a frequent attack vector for malicious cyber actors and poses a significant risk to the federal enterprise.” Read more.
An employee’s compromised home computer led to the LastPass hack
The recent hack of LastPass has been deemed to have stemmed from an attack on an employee’s home computer. An attacker accessed the device via a vulnerability in a media software package. The hacker then installed keylogger malware which they used to capture the login credentials that the employee used to access the engineer’s LastPass corporate vault. While unconfirmed, it is believed that the compromised software was Plex, as the platform also reported a breach not long after LastPass revealed theirs. Read more.
US Marshalls Service hit with ransomware attack
The US Marshalls Service has been hit with a ransomware attack that “compromised some of its most sensitive information, including law enforcement materials, and the personal information of employees and potential targets of federal investigations.” The impacted system was not connected to other parts of the network. However, its compromise still allowed threat actors to access law enforcement information regarding cases, the personal information of employees and targets of federal investigations. Upon discovery of the attack on February 17th, the affected system was quarantined and a forensic investigation was immediately initiated. Read more.
New EX-22 tool makes exfiltration a “cakewalk” for ransomware attackers
Exfiltrator-22, or EX-22, is a new post-exploitation framework spotted in the wild. Designed to operate under the radar within enterprise networks, security firm CYFIRMA said EX-22 “comes with a wide range of capabilities, making post-exploitation a cakewalk.” The malware is advertised as undetectable on Telegram and YouTube and is available for $1,000 monthly via subscription. EX-22 is still receiving tweaks and signals that post-exploitation-framework-as-a-service (PEFaaS) models are the latest methods in which threat actors work to make hacks as easy as possible. Read more.
New ChromeLoader malware campaign targets Nintendo Switch and Steam users
Malicious software has been observed masquerading as VHD files that contain hacks or cracks for Nintendo Switch and Steam games. The malware, a versatile threat called ChromeLoader, is primarily used to compromise web browsers to direct users to malicious sites or carry out click fraud using browser extensions. However, it has also been modified to steal data and even launch ransomware. Steam and Nintendo Switch users are urged not to download game cheats and only click links from reputable sources. Read more.