SAN MATEO, CA, September 25, 2023 — Cybersecurity news weekly roundup. Stories, news, politics, and events that impacted the network security industry last week. Brought to you by NetworkTigers.
- Emergency updates issued by Apple fix three new zero-day exploits
- Stealthy malware variants allow P2PInfect botnet activity to surge
- Nagios XI network monitoring software contains critical security flaws
- GitLab to users: install security updates to patch severe flaw
- Malicious AI tool WormGPT updated to feature-rich version 2
- Asia/Pacific-based card skimming campaign sets sights on North American victims
- Microsoft accidentally exposes 38TB of private data due to misconfigured GitHub repository
- Transparent Tribe state hackers spread Android malware with YouTube app clones
- MGM Resorts hackers make statement about their strategy
- Ambersquid cryptojacking campaign sets sights on uncommon AWS services
Emergency updates issued by Apple fix three new zero-day exploits
Three new actively exploited zero-day vulnerabilities targeting iPhone and Mac users have been patched by Apple via an emergency update, bringing the total to 16 zero-days patched in 2023 thus far. Two flaws were found in the WebKit browser engine (CVE-2023-41993) and the Security framework (CVE-2023-41991). These bugs allow threat actors to “bypass signature validation using malicious apps or gain arbitrary code execution via maliciously crafted webpages.” The third flaw (CVE-2023-41992) was found in the Kernel Framework and could be exploited to escalate privileges. Apple has yet to disclose specific exploitation details for these bugs. Read more.
Stealthy malware variants allow P2PInfect botnet activity to surge
According to research findings at Cado, the P2PInfect botnet has “entered a new period of code stability that allows it to ramp up its operation.” Reports indicate that P2PInfect has been upgraded with features that make it a “stealthier, more formidable threat.” New abilities include “a cron-based persistence mechanism that replaces the previous ‘bash_logout’ method, triggering the main payload every 30 minutes,” the use of a “secondary bash payload to communicate with the primary payload via a local server socket,” and the use of an SSH key to “overwrite any SSH authorized_keys on the breached endpoint to prevent legitimate users from logging in via SSH.” Recent surges in P2PInfect traffic and a steadily expanding volume of variants in the wild lead researchers to believe that the malware’s creators are “operating at an extremely high development cadence.” Read more.
Nagios XI network monitoring software contains critical security flaws
Four security vulnerabilities have been reported in the Nagios XI network monitoring software. The flaws disclosed responsibly to the developer in August have been patched in version 5.11.2 of the software. Three bugs, CVE-2023-40931, CVE-2023-40933 and CVE-2023-40934, are described by security firm Outpost24 as allowing “users, with various levels of privileges, to access database fields via SQL Injections.” The fourth, CVE-2023-40932, “relates to a cross-site scripting (XSS) flaw in the Custom Logo component that could be used to read sensitive data, including cleartext passwords from the login page.” Users are encouraged to update their software to the current version as soon as possible to prevent the unauthorized execution of arbitrary SQL commands and the injection of arbitrary JavaScript and read and modify page data. Read more.
GitLab to users: install security updates to patch severe flaw
A critical security vulnerability that allows threat actors to “run pipelines as other users via scheduled security scan policies” within GitLab, a web-based open-source software project management/work tracking platform, has been patched via scheduled security scan updates that the developer is urging all users to apply. The bug, CVE-2023-5009, is present in GitLab Community Edition (CE) and Enterprise Edition (EE) versions 13.12 through 16.2.7 and 16.3 through 16.3.4. Exploitation of the flaw could allow an attacker to access sensitive data, modify data, or execute events within the GitLab system. Read more.
Malicious AI tool WormGPT updated to feature-rich version 2
WormGPT is an “AI module system that gives the threat actors abilities to launch automated attacks like phishing.” It allows unlimited character support, chat memory retention, and code formatting. With crypto-only payments and the versatility to accommodate malware, BEC attacks, and other hacks with no user logs, the language model has proven troubling for security researchers who are universally concerned about how threat actors will continue to leverage AI for nefarious purposes. WormGPT V2 offers even more features, including faster operation, coding formatting, no limitations, different AI models, and a deeper focus on privacy. The service costs only $300 for lifetime access, putting tremendous power within reach of even the most bootstrapped threat actors. Read more.
Asia/Pacific-based card skimming campaign sets sights on North American victims
A threat actor targeting e-commerce sites and point-of-sale service providers with credit card skimming for more than a year in the Asia/Pacific region has turned towards North and Latin America in search of new victims. The campaign’s main objective is to “gain access to the payment pages on these sites and drop malware for stealing card numbers belonging to people making online purchases.” Calling the activity “Silent Skimmer,” BlackBerry researchers have called the technique complex and noted that it likely is being executed by a competent, experienced threat actor due to how the campaign “has readjusted its command-and-control (C2) infrastructure based on the geolocation of the victims.” This is reportedly to “ensure that traffic to and from the compromised servers blends in with normal traffic.” Read more.
Microsoft accidentally exposes 38TB of private data due to misconfigured GitHub repository
Microsoft’s AI research division mistakenly revealed 38TB of sensitive internal information collected over the last three years by misconfiguring a GitHub repository “meant only to provide access to open source code and AI models for image recognition.” However, the Azure Storage URL “granted permissions on the entire account.” According to cloud security firm Wiz, “the backups contained sensitive personal data, including passwords to Microsoft services, secret keys, and over 30,000 internal Microsoft Teams messages from 359 Microsoft employees.” This snafu reveals that no entity or organization, no matter how adept, is immune from the dangers of human error. Read more.
Transparent Tribe state hackers spread Android malware with YouTube app clones
APT36, a Pakistan state-affiliated threat actor also known as “Transparent Tribe,” has been found engaging in a campaign in which they infect victims with their signature CapraRAT trojan via three Android apps that mimic YouTube. The apps exist outside the Google Play store, with victims led to them via romance-based social engineering techniques. CapraRAT can collect data through camera and microphone recording, text messages, screen captures, and more. While Transparent Tribe’s methods are generally easy to identify as scams, they continually roll out new campaigns. They are prolific enough to gain victims regularly despite a lack of sophistication. Read more.
MGM Resorts hackers make statement about their strategy
Finally making an official statement regarding the hack of MGM Resorts, ALPHV has disclosed that their efforts were successful due to cracking into the company’s Okta Agent. “MGM made the hasty decision to shut down every one of their Okta Sync servers after learning that we had been lurking in their Okta Agent servers,” ALPHV said on their leak site. The threat actors claim they remained on the company’s Okta for a day to gather passwords and data before launching a ransomware attack on over 1,000 ESXi hypervisors. ALPHV also claims to have retained access to portions of MGM Resorts’ infrastructure, from which it intends to engage in further attacks due to the company not participating in negotiations. The group has also stated that it plans to release stolen data to Troy Hunt of Have I Been Pwned to disclose if he wishes. Read more.
Ambersquid cryptojacking campaign sets sights on uncommon AWS services
A new cryptojacking operation, codenamed Ambersquid by container security firm Sysdig, is targeting “uncommon Amazon Web Services (AWS) offerings such as AWS Amplify, AWS Fargate, and Amazon SageMaker to illicitly mine cryptocurrency.” Ambersquid’s images execute miners downloaded from threat actor-controlled GitHub repositories, while others run scripts that target AWS. Sysdig has confidently attributed the operation to Indonesian threat actors based on the language used in its scripts and usernames. Hackers from this region have a pattern of targeting crypto for theft. Read more.
More cybersecurity news
- Last week’s news
- More cybersecurity news
- All articles brought to you by NetworkTigers