Welcome to Cyber Briefing, the newsletter that informs you about the latest cybersecurity advisories, alerts, incidents and news every weekday.
First time seeing this? Please subscribe.
The latest in cybersecurity: Linux SSH, RDStealer, Zyxel NAS, VMware, Des Moines Public Schools, MOVEit, Vancouver Police, Manchester University, Parker Wellbor.
Unknown threat actors are targeting Linux SSH servers, employing brute-force techniques to gain unauthorized access and install a range of malware, including Tsunami DDoS bot, ShellBot, log cleaners, privilege escalation tools, and XMRig coin miner. SSH, the encrypted network communication protocol used for remote device management, becomes vulnerable if servers are poorly secured, allowing attackers to exploit weak username-password combinations. Network administrators are advised to implement strong passwords, require SSH keys for authentication, disable root login, restrict IP access, and change the default SSH port to enhance security against such attacks.
A targeted cyber attack spanning over a year aimed at compromising credentials and exfiltrating data utilized a custom Golang malware called RDStealer, according to a report by Bitdefender. The operation initially relied on widely available remote access trojans before transitioning to bespoke malware, strategically using Microsoft Windows folders often excluded from security scans to store backdoor payloads. RDStealer, the primary backdoor, not only gathers clipboard and keystroke data but also monitors incoming Remote Desktop Protocol (RDP) connections to compromise remote machines with enabled client drive mapping, facilitating data exfiltration and command execution. This attack highlights the growing sophistication of cyber threats, emphasizing the exploitation of widely adopted technologies by threat actors.
Zyxel has released security updates to address a critical command injection vulnerability, tracked as CVE-2023-27992, affecting its network-attached storage (NAS) devices. The flaw allows remote, unauthenticated attackers to execute operating system commands by sending a specially crafted HTTP request. Threat actors are actively exploiting the vulnerability to deploy malware on affected systems, potentially leading to the recruitment of vulnerable devices into a botnet. Zyxel advises users to install the provided patches to mitigate the vulnerability and protect their NAS devices from exploitation.
Forescout Technologies has unveiled the details of three vulnerabilities affecting operational technology (OT) products from Wago and Schneider Electric as part of its OT:Icefall research. These vulnerabilities add to the 61 previously disclosed flaws impacting over 100 OT products from 13 different vendors. The newly identified vulnerabilities, tracked as CVE-2023-1619 and CVE-2023-1620, target Wago 750 controllers using the Codesys v2 runtime, allowing authenticated attackers to cause a denial-of-service (DoS) situation. Forescout has also highlighted a high-severity vulnerability, CVE-2022-46680, in Schneider Electric’s ION and PowerLogic product lines, which exposes user credentials and enables unauthorized modification of energy monitor configurations.
Microsoft has successfully addressed a critical authentication flaw in Azure Active Directory (Azure AD) that could have allowed threat actors to escalate privileges and gain complete control over targeted accounts. The misconfiguration, named nOAuth, was discovered by the Descope security team and could be exploited in account and privilege escalation attacks against Azure AD OAuth applications using the email claim from access tokens for authorization. By changing the email on their Azure AD admin account to the victim’s email address and utilizing the “Log in with Microsoft” feature, attackers could take full control of the victim’s account, even if they did not have a Microsoft account themselves.
In an updated security advisory, VMware has alerted customers that a critical vulnerability (CVE-2023-20887) allowing remote code execution is actively being exploited in attacks. The confirmation came after cybersecurity firm GreyNoise observed mass-scanning activity utilizing the proof-of-concept exploit code, attempting to establish a reverse shell connection with attacker-controlled servers. The vulnerability affects VMware Aria Operations for Networks, enabling unauthenticated threat actors to execute arbitrary commands on the underlying operating system as the root user.
Des Moines Public Schools, Iowa’s largest school district, confirmed a ransomware attack that led to the shutdown of all networked systems. The district received a ransom demand but chose not to pay. Over 6,700 individuals affected by the data breach will be notified this week about the exposed personal information. As a precautionary measure, affected individuals are being offered complimentary credit monitoring services and guidance on protecting their credit files. Des Moines Public Schools canceled classes for several days following the attack. This incident adds to the growing number of ransomware attacks targeting educational institutions across the United States.
A cyber-espionage group linked to Russia’s GRU has successfully breached Roundcube email servers of multiple Ukrainian organizations, including government entities. The group, known as APT28 or Fancy Bear, exploited vulnerabilities in Roundcube Webmail to trick recipients into opening malicious emails related to the conflict between Russia and Ukraine. After gaining access, the hackers redirected incoming emails, conducted reconnaissance, and stole military intelligence to support Russia’s invasion of Ukraine. This campaign overlaps with previous attacks by APT28, highlighting their persistent targeting of organizations for espionage purposes.
Gen Digital, the cybersecurity company behind well-known brands such as Avast, Avira, AVG, Norton, and LifeLock, has confirmed that personal information of employees was compromised in a recent ransomware attack targeting MOVEit Transfer software. The attack exploited a critical SQL injection vulnerability, tracked as CVE-2023-34362, which was disclosed by Progress Software. The Cl0p ransomware gang, responsible for the exploitation campaign, has publicly named over 100 impacted organizations, including Norton LifeLock. Gen Digital has taken immediate action to protect its environment and investigate the impact, assuring that no customer or partner data was exposed, but acknowledging the compromise of personal information of its employees and contingent workers.
Metro Vancouver Transit Police have fallen victim to a cyberattack, with hackers breaching the agency’s files as part of a global wave of attacks attributed to a Russian cyber-extortion gang. The police service is currently conducting a thorough review to determine the extent of the accessed information, but assures that the Transit Police network remains secure and the software vulnerability has been fixed. Investigations into the incident are being carried out by the RCMP’s cybercrime investigative teams in Montreal and Vancouver, with no expected impact on ongoing investigations or prosecutions.
Parker Wellbore, a utility and energy company based in Houston, Texas, recently experienced a data breach that compromised sensitive consumer information. The breach resulted in unauthorized access to personal details such as names, Social Security numbers, driver’s license numbers, financial account information, and medical records. In response, Parker Wellbore has begun notifying affected individuals and advising them on proactive steps to mitigate the risk of identity theft and fraud. If you have received a data breach notification from Parker Wellbore, it is crucial to understand your rights and potential legal options by consulting with a data breach lawyer.
The University of Manchester has fallen victim to a cyberattack, and the ransomware gang responsible has escalated the situation by sending emails to students, warning them that their data will soon be leaked if their extortion demand remains unpaid. According to the threat actors, they successfully hacked the university’s network on June 6, 2023, and managed to steal a staggering 7TB of data, including personal information, research data, medical records, and more. Although no specific ransomware group has claimed responsibility for the attack, the situation highlights the growing trend of double-extortion schemes where stolen data is leveraged to coerce victims into paying ransoms.
The agency responsible for Australia’s national disability insurance scheme (NDIS) is urgently investigating whether sensitive client information related to appeal cases has been compromised in a major cybersecurity breach targeting the law firm HWL Ebsworth, which has represented the agency. The Russian-linked ALPHV/Blackcat ransomware group claimed responsibility for the hack and has already published a portion of the stolen data, including confidential information. The law firm has obtained a non-publication order to prevent further dissemination of the leaked material, leaving HWL Ebsworth clients uncertain about the impact of the breach.
Federal market regulators have postponed their decision on new rules mandating the disclosure of cybersecurity incidents and cyber expertise on public boards in the private sector. The U.S. Securities and Exchange Commission (SEC) announced the delay following opposition to a proposal that requires publicly traded companies to disclose “material cybersecurity incidents” within four business days of discovery. The final rules, which were initially expected to be published in April, are now anticipated to be released in October.
During a parliamentary hearing on cybercrime, British lawmakers were informed that the country’s Computer Misuse Act of 1990, which criminalizes hacking and unauthorized access to computer systems, is outdated and obstructs law enforcement efforts against cyber criminals. Testifying before the parliamentary committee, Graeme Biggar, the director general of the UK’s National Crime Agency, highlighted the Act’s failure to address data theft as a criminal offense and its limitations in prosecuting foreign cybercriminals. Biggar emphasized the urgent need to update the law to enable effective investigation and disruption of cybercrime activities, including the ability to arrest and extradite criminals operating outside the UK.