SAN MATEO, CA, November 14, 2022 — Cybersecurity news weekly roundup. Stories, news, politics, and events that impacted the network security industry last week. Brought to you by NetworkTigers.
- OpenLiteSpeed Web Server contains high-severity flaws
- US Health Department issues warning regarding Venus ransomware
- US midterm elections largely unaffected by “nuisance” cyberattacks
- New Chrome browser botnet lurks within fake Adobe Flash Player updates
- Hackers begin posting Medibank customer data after company refuses to pay ransom
- Azov data wiper poses as ransomware, frames security researchers
- Scanner used to inspect suspicious URLs actually leaking sensitive data
- Phishing scams targeting verified Twitter users spike amidst Elon Musk’s changing policies
OpenLiteSpeed Web Server contains high-severity flaws
OpenLiteSpeed, the sixth most popular web server, has been found to have three high-severity flaws that threat actors can exploit. The bugs include a directory traversal flaw, a privilege escalation vulnerability and one related to command injection. Experts warn that these flaws can be chained to gain fully privileged remote code execution on a targeted system. The most current version of OpenLiteSpeed have had these flaws patched, making an update critical to avoid being hacked. Read more.
US Health Department issues warning regarding Venus ransomware
Venus Ransomware attacks have begun targeting US healthcare organizations, according to a warning issues by the Department of Health and Human Services (HHS). Venus was discovered in August of 2022 and has since infected dozens of corporate organizations globally. The criminals behind Venus hack typically into publicly-exposed Remote Desktop services in order to encrypt Windows devices. According to the report, “the operators of Venus ransomware are not believed to operate as a ransomware-as-a-service (RaaS) model and no associated data leak site (DLS) exists at this time.” Read more.
US midterm elections largely unaffected by “nuisance” cyberattacks
US cybersecurity officials are breathing a bit easier, as fears of widespread cyberattacks against government websites on voting day have been abated. A handful of local and state government websites were met with attacks that limited peoples’ ability to access polling location data, but no vote counts or election systems were affected. Most of the attacks, which Analyst Alexander Leslie of the cybersecurity firm Recorded Future referred to as “a minor nuisance,” have not yet been attributed. However, a pro-Russia group has taken credit for the DDoS attack carried out against the website of Mississippi’s secretary of state. Read more.
New Chrome browser botnet lurks within fake Adobe Flash Player updates
“Cloud9,” a newly discovered Chrome browser botnet, has been seen used in the wild stealing credentials and keystroke data while injecting malicious code and ads. It also has the capability to enlist a victim’s computer for use in DDoS attacks. The malicious extension is not being distributed through official channels, instead hiding inside websites that purport to push Adobe Flash Player updates. The malware has been witnessed globally, and appears to be spreading effectively. Cloud9 is believed to have been developed by the Keksec malware group, and Google urges all users to always use the most current version of Chrome and using the browser’s Enhanced Protection options. Read more.
Hackers begin posting Medibank customer data after company refuses to pay ransom
The ransomware attack on Australia’s Medibank continues to make waves, as the hackers have begun dumping customer data onto the dark web. Medibank finds itself in a challenging position, as it has opted not to pay the hackers and is now faced with customer outrage as the threat actors drip stolen information online where it can be used to build future cyberattacks. The data, compiled into “naughty” and “nice” lists, has been appearing on a blog associated with the Russian hacking gang REvil. Medibank is steadfast in their decision not to comply with the attackers’ demands and is telling customers to be vigilant and on the lookout for scams that use their data. Read more.
Azov data wiper poses as ransomware, frames security researchers
A heavily distributed piece of malware called Azov Ransomware has been discovered to actually be a data wiper. Victims are presented with no ransom request upon the malware launching, instead presented with a document that tells them to contact a list of security researchers and blogs to recover their data. Azov destroys data in 666-bit increments and the damage is unrecoverable. Researchers are unclear as to why a threat actor would not only distribute such a malware but actually pay to have it done. One theory suggests that Azov is being used as a smokescreen to cover up or distract from other malicious activity. Read more.
Scanner used to inspect suspicious URLs actually leaking sensitive data
URLscan.io, a platform used to scan potentially malicious or suspicious website addresses, has been found to inadvertently leak information by making sensitive URLs submitted by users publicly listed and searchable. The data subject to infiltration by threat actors includes “password reset links, email unsubscribe links, account creation URLs, API keys, information about Telegram bots, DocuSign signing requests, shared Google Drive links, Dropbox file transfers, invite links to services like SharePoint, Discord, and Zoom, PayPal invoices, Cisco Webex meeting recordings, and URLs for package tracking.” Read more.
Phishing scams targeting verified Twitter users spike amidst Elon Musk’s changing policies
As Twitter haphazardly rolls out new policies regarding the network’s verification process, criminals have seized the opportunity to launch phishing scams that target the owners of accounts that already have a blue checkmark. Emails are being sent that contain a link to a page that asks the users for their username and password. It then sends them a two-factor authentication link via SMS. The emails create a sense of urgency and tell the recipient that they need to comply or face account suspension. Read more.