SAN MATEO, CA, May 29, 2023 — Cybersecurity news weekly roundup. Stories, news, politics, and events that impacted the network security industry last week. Brought to you by NetworkTigers.
- Bandit Stealer malware being used to target multiple web browsers and crypto wallets
- Barracuda Email Security Gateway Appliances under attack
- Microsoft says Chinese state hackers have attacked US infrastructure
- 1.5 million WordPress sites targeted by hackers with cookie consent plugin exploit
- Update to Legion malware allows it to target SSH servers and AWS credentials
- Lazarus Group targeting Microsoft IIS servers for cyber espionage
- AI-generated image of explosion at Pentagon causes stock market dip
- Threat actor trojanizes legitimate Android screen recorder app
- KeePass vulnerability puts password manager users at risk
- Faked CapCut websites infect victims with info stealers
Bandit Stealer malware being used to target multiple web browsers and crypto wallets
Cybersecurity researchers at Trend Micro are cautioning the public about Bandit Stealer, a new information stealing malware that “has the potential to expand to other platforms, as Bandit Stealer was developed using the Go programming language, possibly allowing cross-platform compatibility.” Focusing on Windows systems “using a legitimate command-line tool called runas.exe that allows users to run programs as another user with different permissions,” Bandit Stealer’s goal is to gain administrative privileges. The malware has been observed being distributed by phishing emails as well as links in YouTube videos that claim to offer cracked software. Read more.
Barracuda Email Security Gateway Appliances under attack
Barracuda, an email protection and network security services provider, has issued a warning to users of its Email Security Gateway Appliances that a zero-day remote code injection flaw is being actively exploited. Barracuda has released two patches to fix the bug and has not disclosed the extent of the exploit or who may be responsible for its deployment. Affected users have been directly contacted and Barracuda is monitoring the situation. Read more.
Microsoft says Chinese state hackers have attacked US infrastructure
Microsoft has reported that a Chinese state-sponsored hacker group called “Volt Typhoon” has been campaigning to disrupt “critical communications infrastructure between the United States and Asia” and has compromised critical US infrastructure in order to engage in cyber espionage. According to the software giant, Volt Typhoon leverages a vulnerability in FortiGuard, a popular cybersecurity suite, to infiltrate systems, steal login credentials and then use them for deeper penetration. Microsoft says that the main goal of such operations is to remain embedded and undetected for as long as possible. Read more.
1.5 million WordPress sites targeted by hackers with cookie consent plugin exploit
Update to Legion malware allows it to target SSH servers and AWS credentials
Researchers at Cato Labs have reported that Legion malware has received an upgrade that expands its features, allowing it to compromise SSH servers as well as “Amazon Web Services (AWS) credentials associated with DynamoDB and CloudWatch.” Legion was first documented last month, and its continued evolution, according to Cato Labs, signals that “the developer’s targeting of cloud services is advancing with each iteration.” In its current form, Legion still relies largely on taking advantage of misconfigured web applications to retrieve credentials. Read more.
Lazarus Group targeting Microsoft IIS servers for cyber espionage
Lazarus Group, North Korea’s most notorious state-sponsored hacking collective, has been observed targeting Microsoft Internet Information Services (IIS) servers as part of a cyber espionage malware campaign. According to researchers at AhnLab Security Emergency Response Center, Lazarus hackers place “a malicious DLL (msvcr100.dll) in the same folder path as a normal application (Wordconv.exe) via the Windows IIS web server process, w3wp.exe. They then execute the normal application to initiate the execution of the malicious DLL.” Read more.
AI-generated image of explosion at Pentagon causes stock market dip
In an occurrence that highlights the impending troubles of a world where scams and deepfakes make it difficult to distinguish fact from fiction, a hoax involving an AI-generated image of an explosion at the Pentagon went viral on Twitter and even resulted in a brief dip in the stock market. The image, circulated on the platform by verified accounts that include one associated with Russian state media and a fraudulent one impersonating the Bloomberg news agency, bears the hallmarks of generative imagery. However, its viral nature, the real world impact it caused, and the fact that it was perpetuated by Twitter accounts that fake legitimacy by simply purchasing a blue checkmark signal that these kinds of actions can inflict real danger. Read more.
Threat actor trojanizes legitimate Android screen recorder app
iRecorder – Screen Recorder, an app that had been in the Google Play store since 2021 and has more than 50,000 downloads, was found to have been trojanized with AhRat, malware that “can exfiltrate files with specific extensions and microphone recordings and upload them to the attacker’s command and control (C2) server.” AhRat has been traced to Transparent Tribe, a cyber espionage group that largely targets South Asian government and military organizations. iRecorder was previously a legitimate, safe app, but the malicious code is believed to have been added through an August, 2022 update. Read more.
KeePass vulnerability puts password manager users at risk
A security researcher called “vdhoney” has developed a proof-of-concept exploit for KeePass versions 2.x for Windows, Linux, and macOS that could allow a threat actor to “recover a victim’s master password in cleartext under specific circumstances.” While vdhoney says that “no code execution on the target system is required,” the exploit requires certain conditions to be met for it to be used successfully. The attack needs to have already compromised the victim’s device and it also “requires that the password is typed on a keyboard and not copied from the device’s clipboard.” Read more.
Faked CapCut websites infect victims with info stealers
CapCut, ByteDance’s official video editor for TikTok, is a highly demanded app that received more than 30 million hits on its website on a monthly basis. The popularity of the app, and its ban in a number of countries, has made it a prime lure for hackers. Threat actors have been creating fake websites that claim to offer downloads of the app, but instead infect victims with information stealing malware. It’s not yet known how victims find their way to these fraudulent sites, but researchers can assume that “threat actors use black hat SEO, search ads, and social media” to promote them. Security experts at Cyble discovered the websites and report that two campaigns spreading two malware variants are currently underway. Read more.