Thursday, September 21, 2023
HomeCybersecurity NewsCybersecurity news weekly roundup September 4, 2023

Cybersecurity news weekly roundup September 4, 2023

SAN MATEO, CA, September 4, 2023 — Cybersecurity news weekly roundup. Stories, news, politics, and events that impacted the network security industry last week. Brought to you by NetworkTigers.

Highly customizable SapphireStealer generates community of hackers and myriad of variants

SapphireStealer, an info-stealing malware variant with its source code offered up for free, has been heavily modified since its GitHub debut last year. Threat actors have been tailoring it to their needs and even deploying it without any knowledge of coding whatsoever. The low bar of entry and the thriving community of hackers continually improving SapphireStealer’s capabilities signals the continued persistence of the threat actor landscape. It paves the way for more dangerous campaigns. Edmund Brumaghin, the threat researcher for Cisco Talos, cautions that “an organization might not treat an information stealer threat at the same level as another threat… but they’re often a precursor to things like ransomware and espionage.” Various instances and variants of SapphireStealer have been observed in the wild. Read more.

Malicious Python packages deployed in new North Korean campaign

ReversignLabs researchers have identified a trio of malicious Python packages in the Package Index (PyPI) that they cite as part of a North Korean supply chain hacking campaign called VMConnect. VMConnect is a “collection of Python packages that mimic popular open-source Python tools to download an unknown second-stage malware.” The findings show that the responsible criminals use typosquatting techniques to make their packages appear legitimate. The nature of the payload that the malware receives once installed is unknown, although North Korea has a history of engaging in hack-for-profit campaigns. Read more.

Android-based Signal and Telegram users targeted by BadBazaar spyware

Researchers at ESET have linked a spyware campaign targeting Signal and Telegram users to GREF, a thread actor linked to China. According to their findings, malicious apps in the Google Play Store and Samsung Galaxy Store infect users with BadBazaar, a type of spyware that “harvests a wide range of data, including call logs, SMS messages, locations, and others.” The two apps containing the spyware are called Signal Plus Messenger and FlyGram. BadBazaar was discovered in 2022, having been used to collect data on China’s Uyghur community. Read more.

Ransomware hackers exploiting vulnerability in unpatched Citrix NetScaler

An unknown threat actor is taking aim at unpatched Citrix NetScaler systems, exploiting CVE-2023-3519, “a critical code injection vulnerability impacting NetScaler ADC and Gateway servers that could facilitate unauthenticated remote code execution.” Noteworthy attributes of the campaign “include the distribution of obfuscated PowerShell scripts, PHP web shells, and the use of an Estonian service called BlueVPS for malware staging.” According to Sophos, the manner of attack implies “that this is activity from a known threat actor specializing in ransomware attacks.” Users of Citrix NetScaler are urged to update their systems and apply all recently released patches immediately. Read more.

FBI takes down Qakbot botnet across 700,000 computers

The FBI has taken down the Qakbot botnet via an operation called “Operation Duck Hunt” in collaboration with international law enforcement. Qakbot is associated with ransomware attacks against government agencies and healthcare organizations worldwide, resulting in $58 million in damages in the last 18 months alone. Seven hundred thousand infected computers had Qakbot removed after the FBI directed Qakbot traffic to agency servers and then pushed uninstallers to the devices harboring the malware. In addition to taking down the botnet, at least for now, the agency also seized around $7 million worth of stolen bitcoin. Read more.

Juniper firewalls vulnerable to RCE attacks due to newly released exploits

Exploit code released for Juniper SRX firewalls has been released, putting users at risk of remote code execution. Juniper reported four bugs in their EX switches and SRX firewalls and released patches to address them. The company has not disclosed any information about the bugs being exploited in the wild. Still, administrators are cautioned to update their products immediately and be on alert for incoming attacks. The flaws are reportedly easy to take advantage of, and researchers warn that “given the simplicity of exploitation and the privileged position that JunOS devices hold in a network, we would not be surprised to see large-scale exploitation.” Read more.

Leaked LockBit builder code being used in new wave of ransomware attacks

The leak of the builder code for LockBit V3 ransomware has led to an uptick in attacks as unaffiliated cybercriminals use the tool to suit their needs. While some criminals are customizing the malware to “target local disks or network shares, enabling the kill service, kill process, kill defender, delete logs, and self-destruct parameters in the malware,” most of the groups using the stolen code aren’t making any changes to it and simply standing on the shoulders of threat actors before them. According to researchers at Kaspersky, “many of the detected parameters correspond to the default configuration of the builder; only some contain minor changes. This indicates the samples were likely developed for urgent needs or by lazy actors.” Read more.

KmsdBot upgraded with new capabilities to target IoT devices

Researchers at Akamai report that KmsdBot botnet malware is now targeting IoT devices to expand its attack surface, having been upgraded with “support for Telnet scanning and support for more CPU architectures.” KmsdBot is being regularly maintained, indicating that it is in active use. While primarily built to target private game servers and cloud hosting providers, “the addition of Telnet scanning capabilities suggests an expansion in the botnet’s attack surface, enabling it to target a wider range of devices.” An attack against Telnet is mainly accomplished using lists of commonly used weak passwords for several popular applications, often relying on users not changing the default passwords that come with their IoT devices. Read more.

New hacking group Flax Typhoon identified by Microsoft

According to findings from Microsoft, a new group of threat actors has been observed targeting government agencies, education organizations, manufacturing, and IT companies. Called “Flax Typhoon,” the group is said to rely little on malware to achieve access to victim networks. They instead use “mostly components already available on the operating system, the so-called living-off-the-land binaries or LOLBins, and legitimate software” such as Windows Risk Management and WMIX for lateral movement. The hackers’ motivation is not yet apparent, though they have been witnessed using stolen credentials to extract data from a targeted system. Read more.

More cybersecurity news

Derek Walborn
Derek Walborn
Derek Walborn is a freelance research-based technical writer. He has worked as a content QA analyst for AT&T and Pernod Ricard.

What do you think?

This site uses Akismet to reduce spam. Learn how your comment data is processed.

You might also like

Stay Connected

Must Read

Related News

Share it with your friends:

Cybersecurity news weekly roundup September 4, 2023