SAN MATEO, CA, May 15, 2023 — Cybersecurity news weekly roundup. Stories, news, politics, and events that impacted the network security industry last week. Brought to you by NetworkTigers.
- Flaws in Netgear routers can be chained to execute remote code
- CISA warns of Ruckus bug used to infect wifi access points
- Aurora info-stealer malware being pushed by fake in-browser Windows update
- Free White Phoenix tool helps ransomware victims unlock their encrypted data
- Microsoft’s May patch addresses 38 flaws and an active zero-day bug
- Attackers gain root privileges by exploiting new Linux kernel NetFilter flaw
- North Korean hacker group Kimsuky using OneDrive links to spread malware
- Microsoft reports that state-sponsored attackers are exploiting PaperCut vulnerability
- FBI continues crackdown on cybercrime with seizure of DDoS-for-hire domains
- Akira ransomware emerges and begins collecting victims
- Cactus ransomware avoids antivirus detection by encrypting itself
Flaws in Netgear routers can be chained to execute remote code
Netgear RAX30 routers have been found to harbor five security flaws that can be chained together to achieve remote code execution, “monitor users’ internet activity, hijack internet connections, and redirect traffic to malicious websites or inject malware into network traffic.” The flaws could also be weaponized to “access and control networked smart devices like security cameras, thermostats, smart locks; tamper with router settings, and even use a compromised network to launch attacks against other devices or networks.” Users of Netgear RAX30 routers should update to version 22.214.171.124 to patch their systems. Read more.
CISA warns of Ruckus bug used to infect wifi access points
CISA has warned about a “critical remote code execution (RCE) flaw in the Ruckus Wireless Admin panel.” Attackers use the bug to infect victims’ devices with AndoryuBot malware and enlist them to create botnets to launch DDoS attacks. The bug was already issued a patch in February, but many users may have yet to install it and there is no fix for those that continue to use vulnerable products that are no longer supported. Federal agencies have until June to patch affected systems and private companies are strongly urged to do the same. Read more.
Aurora info-stealer malware being pushed by fake in-browser Windows update
Aurora info-stealer, a malware type with extensive capabilities, has been spotted being pushed in a campaign that uses fake in-browser Windows updates to trick users into downloading it. Researchers say the malvertising campaign uses popunder ads to direct victims to a malicious link. The technique uses a fullscreen window that appears to be an update screen. Users that download a resulting file called “ChromeUpdate.exe” are then subjected to malware injection that, upon first discovery, was largely undetected by antivirus software. “Malwarebytes comments that the threat actor behind this campaign appears particularly interested in creating hard-to-detect tools. They constantly upload new samples on Virus Total to check how they fare against detection engines.” Read more.
Free White Phoenix tool helps ransomware victims unlock their encrypted data
A new automated tool called White Phoenix has been released for free on GitHub by security researchers at CyberArk, who says it can “help victims of intermittent encryption attacks recover data from some partially encrypted files — without having to pay a ransom for the decryption key.” Several ransomware gangs use partial encryption because it makes hostile takeover quicker, allowing them to affect as many files as possible. However, partial encryption sometimes leaves the door open for file recovery because it scrambles files without making them completely unusable. White Phoenix can be used to piece some file types back together by using the unaffected data. Read more.
Microsoft’s May patch addresses 38 flaws and an active zero-day bug
This month’s Patch Tuesday from Microsoft fixes 38 bugs, six rated as “critical” and 32 rated as “important.” Eight of the flaws have been flagged by Microsoft as “Exploitation More Likely.” CVE-2023-29336 (CVSS score: 7.8), a privilege escalation flaw in Win32k that has come under active exploitation and allows an attacker to gain SYSTEM privileges, is at the top of the list. Users should note that the update “is disabled by default and requires customers to apply the revocations manually, but not before updating all bootable media.” Read more.
Attackers gain root privileges by exploiting new Linux kernel NetFilter flaw
Security researchers have discovered a Linux flaw “that allows unprivileged local users to start a root shell on impacted systems” and gain complete control. The flaw comes from “Netfilter nf_tables accepting invalid updates to its configuration, allowing specific scenarios where invalid batch requests lead to the corruption of the subsystem’s internal state.” The flaw is present across multiple Linux kernel releases but requires local access to a Linux device to exploit it. The nuts and bolts of the flaw and how an attacker could exploit it are set to be made officially public next week. Read more.
North Korean hacker group Kimsuky using OneDrive links to spread malware
A campaign by the North Korean threat actor group Kimsuky has been discovered to target government agencies and individuals at universities in North America, Europe, and Asia using expertly crafted spear phishing emails containing malicious Microsoft OneDrive links. The emails are designed to appear as authentic as possible, avoiding the usual poor grammar or formatting issues that raise red flags and abusing “the names of real individuals whose expertise is relevant to the lure subject, such as political scientists.” Kimsuky uses ReconShark malware, a new variant of BabyShark, to exfiltrate data from infected devices and deliver payloads “depending on what detection mechanism processes run on infected machines.” Read more.
Microsoft reports that state-sponsored attackers are exploiting PaperCut vulnerability
Microsoft has reported that Iranian state-sponsored threat actors Mango Sandstorm and Mint Sandstorm have been observed taking advantage of a flaw recently discovered in PaperCut. “CVE-2023-27350 (CVSS score: 9.8) relates to a critical flaw in PaperCut MF and NG installations that an unauthenticated attacker could exploit to execute arbitrary code with SYSTEM privileges.” Mint Sandstorm, a group associated with the Islamic Revolutionary Guard Corps, has displayed its ability to quickly utilize newly discovered flaws to their fullest to suit its needs. Mango Sandstorm, linked to Iran’s Ministry of Intelligence and Security, has been using less sophisticated penetration tactics that require “tools from previous intrusions.” Read more.
FBI continues crackdown on cybercrime with seizure of DDoS-for-hire domains
The US Justice Department has reported that the FBI has seized 13 domains associated with DDoS-for-hire services that allow anyone to attack a victim of their choice for a price. The “Operation PowerOFF” campaign is designed to disrupt the online marketplace of platforms and tools that make cyberattacks easy to pull off. The seizure follows one last December in which 48 domains were taken down. Out of the 13 in this recent bust, 10 are reincarnations of those seized last December, illustrating the persistent nature of illegal online activity. Read more.
Akira ransomware emerges and begins collecting victims
Launched in March of 2023, Akira ransomware has been building a roster of victims, claiming to have already attacked 16 in the education, finance, real estate, manufacturing, and consulting industries. As with most ransomware outfits, Akira threatens to sell and publish the data stolen from victims who refuse to pay up. Akira developers have spent a reasonable amount of time on their branding, creating a retro-looking site to communicate with victims and post stolen data. The group has already used its site to leak data belonging to four organizations. Read more.
Cactus ransomware avoids antivirus detection by encrypting itself
A new ransomware called Cactus, first observed in March of 2023, “has been exploiting vulnerabilities in VPN appliances for initial access to networks of large commercial entities.” This ransomware is noteworthy because it can evade detection thanks to its “use of encryption to protect the ransomware binary.” Thus far, no public statements have been made from victims regarding the amount of money that Cactus threat actors are demanding, but BleepingComputer reports that a source told them it was in the millions. Given how new Cactus is, little information is available about the hackers’ operations and behavior. Read more.
More cybersecurity news
- Last week’s news
- All cybersecurity news and articles are brought to you by NetworkTigers.