SAN MATEO, CA, November 20, 2023 — Cybersecurity news weekly roundup. Stories, news, politics, and events that impacted the network security industry last week. Brought to you by NetworkTigers.
- Beware of scammers luring victims with Black Friday phishing schemes
- FBI and CISA release advisory in response to activity from Scattered Spider threat group
- MySQL servers under attack from Ddostf botnet
- CISA and FBI warn of Rhysida ransomware attacks
- Microsoft issues patches for five zero-day bugs in monthly update
- Ransomware gang applies pressure on victim company by reporting them to the SEC
- Threat actors abuse Ethereum feature to steal $60 million in crypto
- A major government breach exposed sensitive data belonging to 1.3 million Maine residents
- LockBit ransomware group leaks data stolen from Boeing
Beware of scammers luring victims with Black Friday phishing schemes
Cybercriminals are working hard to lure unsuspecting shoppers into clicking malicious links in emails purported to contain Black Friday sales from luxury brands. Victims who click the included links will find themselves on websites that mimic those of Rolex, Ray-Band, and other premium manufacturers. The sites prompt visitors to enter login credentials, which can be leveraged to engage in cyberattacks possibly. Threat actors are continually adapting to accommodate seasonal or popular trends, and shoppers are encouraged to be highly cautious of holiday deals that seem too good to be true. Read more.
FBI and CISA release advisory in response to activity from Scattered Spider threat group
The FBI and CISA are warning of Scattered Spider. This financially motivated threat group is adept at social engineering, “especially phishing, push bombing, and subscriber identity module (SIM) swap attacks, to obtain credentials, install remote access tools, and/or bypass multi-factor authentication (MFA).” The advisory contains a wealth of information regarding the group’s history, the malware they employ, and favored tactics. It also includes a list of mitigations and protocols that can be applied to help safeguard against attack. “Scattered Spider threat actors, per trusted third parties, have typically engaged in data theft for extortion and have also been known to utilize BlackCat/ALPHV ransomware alongside their usual TTPs.” Read more.
MySQL servers under attack from Ddostf botnet
Researchers at AhnLab Security Emergency Response Center (ASEC) have reported that they’ve unearthed a campaign in which the Ddostf malware botnet exploits MySQL servers to enslave them for DDoS attacks. The attackers operate by scanning the web for exposed MySQL servers and then attempt to brute force their way into administrator accounts. Security experts recommend that MySQL administrators install all current updates and use good password hygiene to avoid a breach. “Ddostf is a malware botnet of Chinese origin, first spotted in the wild roughly seven years ago, and targets both Linux and Windows systems.” Read more.
CISA and FBI warn of Rhysida ransomware attacks
An advisory from the FBI and CISA warns of Rhysida ransomware and the double extortion tactics they’re engaging in. “Observed as a ransomware-as-a-service (RaaS) model, Rhysida actors have compromised organizations in education, manufacturing, information technology, and government sectors, and any ransom paid is split between the group and affiliates,” the advisory reads. “Rhysida actors leverage external-facing remote services, such as virtual private networks (VPNs), Zerologon vulnerability (CVE-2020-1472), and phishing campaigns to gain initial access and persistence within a network.” Like other double extortion gangs, Rhysida demands a ransom payment to decrypt victim data and then threatens to publish stolen information unless it is paid. Read more.
Microsoft issues patches for five zero-day bugs in monthly update
Microsoft’s monthly update includes fixes for five zero-day vulnerabilities, three of which have been observed being exploited by threat actors in the wild. CVE-2023-36036 is “a critical elevation of privilege issue affecting Microsoft Windows 10 and later, and Microsoft Windows Server 2008 and later.” CVE-2023-36033 is an elevation of privilege vulnerability in the Windows DWM Core Library. It can also be exploited locally, with low complexity, and without needing high-level privileges or user interaction. The third exploited zero-day bug is CVE-2023-36025, “a security feature bypass bug in Windows SmartScreen, enabling attackers to circumvent Windows Defender SmartScreen checks and prompts.” In total, Microsoft’s update addresses 58 security flaws. Read more.
Ransomware gang applies pressure on victim company by reporting them to the SEC
The ALPHV ransomware gang, otherwise known as BlackCat, has engaged in a novel way to apply additional pressure to a victim whose system they’ve breached. MeridianLink, a software company, has been listed on the gang’s website as a successful breach, along with a threat to leak stolen data in the absence of a ransom payment. Given that MeridianLink has yet to comply with ALPHV’s demands, the gang then took it upon themselves to report the company to the SEC for failing to comply with regulations that make it a requirement to report a cyberattack within four days. While this rule does not take effect until December 15, 2023, this maneuver illustrates the lengths ransomware gangs and other threat actors will go to to strong-arm their victims. Read more.
Threat actors abuse Ethereum feature to steal $60 million in crypto
Threat actors are abusing Ethereum’s Create2 feature to “bypass wallet security alerts and poison cryptocurrency addresses, which led to stealing $60,000,000 worth of cryptocurrency from 99,000 people in six months,” according to findings from researchers at Scam Sniffer. Their report details that Create2 can be misused to create new contact addresses with clean transaction histories that bypass wallet security alerts. “When a victim signs a malicious transaction, the attacker deploys a contract at the pre-calculated address and transfers the victim’s assets to it, a non-reversible process.” Scam Sniffer reports that Create2 abuse has led to the theft of $60 million in cryptocurrency from 99,000 victims over six months. Read more.
A major government breach exposed sensitive data belonging to 1.3 million Maine residents
The state of Maine has reported that 1.3 million residents have had their data exposed in a government breach related to Cl0p’s hack of MOVEit. Affected data is said to include names, Social Security numbers, birth dates, taxpayer and license identification numbers, medical information, and health insurance information. Maine’s population is around 1.38 million, meaning that almost the entirety of the state’s population has had their sensitive data exposed due to the hack, which took place in May of 2023. Most of the information originated from Maine’s Department of Health and Human Services, with the rest coming from the state’s Department of Education and several other departments. Read more.
LockBit ransomware group leaks data stolen from Boeing
The LockBit ransomware gang has made good on threats to leak “a tremendous amount of sensitive data” from Boeing, posting 43GB of sensitive information on their website in response to the aerospace company’s refusal to engage. The data published includes “configuration backups for IT management software, and logs for monitoring and auditing tools” as well as “backups from Citrix appliances… which sparked speculation about LockBit ransomware using the recently disclosed Citrix Bleed vulnerability (CVE-2023-4966).” Boeing has acknowledged that a breach occurred but has provided no other information about it at this time. Read more.