SAN MATEO, CA, May 22, 2023 — Cybersecurity news weekly roundup. Stories, news, politics, and events that impacted the network security industry last week. Brought to you by NetworkTigers.
- Cisco updates Small Business Series switches to patch critical flaws that could allow remote attacks
- New MalasLocker ransomware group demands donations to charity, not ransom
- Apple blocked 1.7 million apps and over $2 billion transactions in 2022 for security purposes
- Wemo Smart Plug bug can be used by hackers for a variety of nefarious purposes
- CopperStealer malware reappears with new features and phishing kit
- MacOS devices under attack from open-source Cobalt Strike port “Geacon”
- New RA Group ransomware outfit observed targeting US organizations with custom executables
- Hackers targeting new WordPress flaw to steal sensitive data
Cisco updates Small Business Series switches to patch critical flaws that could allow remote attacks
Cisco has released an update that addresses nine flaws in their Small Business Series switches that could be used by a hacker to run code remotely or “cause a denial-of-service (DoS) condition.” Four of the bugs have received a 9.8 CVSS rating, making them critically important to fix. The bugs exist in a number of the company’s switches, but “Cisco said it does not plan to release firmware updates for Small Business 200 Series Smart Switches, Small Business 300 Series Managed Switches, Small Business 500 Series Stackable Managed Switches” because they are no longer supported and have “entered the end-of-life process.” Read more.
New MalasLocker ransomware group demands donations to charity, not ransom
A new ransomware group called MalasLocker has been targeting Zimbra servers and corrupting files and folders using a currently unrecognized encryptor that appears to be derived from AgeLocker. What makes MalasLocker especially unique is that, instead of demanding a ransom, they require victims to make a donation to a non-profit charity and provide proof of having done so. The group has a very focused “hacktivist” agenda that frames their use of ransomware as a means by which to strong-arm corporations into putting money where it matters as opposed to into their pockets, or the pockets of other profit-minded criminals. It’s not yet known if MalasLocker keeps their word with regard to restoring files after a donation has been made. Read more.
Apple blocked 1.7 million apps and over $2 billion transactions in 2022 for security purposes
Apple forbid more than $2 billion in transactions that it tagged as “potentially fraudulent” and “blocked almost 1.7 million app submissions for privacy, security, and content policy violations in 2022.” Apple also “terminated 428,000 developer accounts for potentially fraudulent activity, deactivated 282 million fraudulent customer accounts, and blocked 105 million developer account creations for suspected fraudulent activities.” Apple and Google are continually reviewing developer submissions to their marketplaces in the interest of security, with Apple alone inspecting “an average of over 100,000 app submissions weekly.” Read more.
Wemo Smart Plug bug can be used by hackers for a variety of nefarious purposes
The Wemo Smart Plug V2, an adapter that interfaces between any device and a wall outlet to turn regular electronics into smart devices that can be controlled with an app, has been found to have an unpatched bug in it. CVE-2023-27217 is a buffer-overflow vulnerability that can allow hackers do everything from turn electronics on or off to penetrate networks and “hopscotch” to different devices. Belkin, the manufacturer of the Wemo Smart Plug, has stated that no update to patch the bug is on the way since the device is no longer supported. The plug’s flaw illustrates the continued risk inherent to IoT devices and how seemingly innocuous products could be leveraged in cyberattacks. Read more.
CopperStealer malware reappears with new features and phishing kit
CopperStealer malware has been retooled and deployed by a financially-motivated threat group called Water Orthrus. The new version of the malware delivers two payloads called CopperStealth and CopperPhish. CopperStealth “incorporates a task module that enables it to call out to a remote server and retrieve the command to be executed on the infected machine, equipping the malware to drop more payloads.” CopperPhish, on the other hand, “takes advantage of an analogous process to deploy the malware via PPI networks behind free anonymous file-sharing websites.” Water Orthrus has a reputation for spreading their malware via cracked software sites. Read more.
MacOS devices under attack from open-source Cobalt Strike port “Geacon”
MacOS devices are being increasingly targeted by attackers using Geacon, described by BleepingComputer as a “Go-based implementation of the beacon from the widely abused penetration testing suite Cobalt Strike.” Geacon appeared on GitHub years ago, but hackers seemed to be largely uninterested in its macOS-attacking potential. However, anonymous Chinese developers added two Geacon forks to GitHub, one of which is free and publicly available. One fork was recently added to the 404 Starlink project, a “public GitHub repository dedicated to red-team pen-testing tools maintained by the Zhizhi Chuangyu Laboratory.” This has raised the profile of Geacon and attracted the attention of hackers who have been using it for network communications, data encryption and decryption, downloading payloads, and exfiltrating data from compromised systems. Read more.
New RA Group ransomware outfit observed targeting US organizations with custom executables
RA Group is a new ransomware gang that is actively targeting pharmaceutical, insurance, wealth management, and manufacturing firms in the United States and South Korea. According to Cisco Talus, “RA Group uses an encryptor based on the leaked source code for the Babuk ransomware, a ransomware operation that shut down in 2021.” Uniquely, RA Group uses a custom ransom note for each victim, as well as an executable named after them. “The ransomware targets all logical drives on the victim’s machine and network shares and attempts to encrypt specific folders, excluding those related to the Windows system, boot, Program Files, etc.” Read more.
Hackers targeting new WordPress flaw to steal sensitive data
24 hours after a proof-of-concept exploit was made public by Patchstack, hackers have been using it to attack WordPress sites to steal sensitive data and escalate their privileges. The flaw exists within the WordPress Advanced Custom Fields plugin and is listed as CVE-2023-30777, “a high-severity reflected cross-site scripting (XSS) flaw.” The PoC was released on May 5th, and researchers at Akamai Security Intelligence Group (SIG) reported that the very next day they “observed significant scanning and exploitation activity using the sample code provided in Patchstack’s write-up. Read more.