Welcome to Cyber Briefing, the newsletter that informs you about the latest cybersecurity advisories, alerts, incidents and news every weekday.
First time seeing this? Please subscribe.
The latest in cybersecurity: WordPress, Condi Botnet, TP-Link, Apple, Graphican Backdoor, StarCruft, Cisco, UPS, Mondelēz International, Z-ERA, Amazon, TikTok, Crypto Scam.
Web application security firm Defiant has raised the alarm on critical-severity vulnerabilities affecting two widely-used WordPress plugins. The first flaw, tracked as CVE-2023-2986, impacts the Abandoned Cart Lite for WooCommerce plugin, allowing attackers to create identifiers for other users’ carts and potentially gain access to customer and administrator accounts. The second vulnerability, CVE-2023-2834, affects the BookIt plugin, enabling unauthenticated attackers to log in as any existing user by knowing their email address. While patches have been released for both plugins, tens of thousands of websites are still running vulnerable versions.
A notorious stresser/booter service named Condi, powered by the Mirai-based botnet, has set its sights on disrupting consumer-grade Wi-Fi routers that run unpatched firmware. The threat actor behind Condi has launched a Telegram channel to advertise the botnet, offering distributed denial-of-service attacks and even selling the source code itself. Security researchers from Fortinet have discovered that the latest version of Condi targets vulnerable TP-Link Archer AX21 routers, exploiting a critical bug that allows unauthorized attackers to inject commands with root access, leading to potential chaos in infected devices.
Apple has released security updates addressing three new zero-day vulnerabilities that were exploited to install Triangulation spyware on iPhones using iMessage zero-click exploits. The vulnerabilities, tracked as CVE-2023-32434 and CVE-2023-32435, were reported by Kaspersky security researchers and allowed attackers to gain root privileges on targeted devices. The spyware component, known as TriangleDB, was deployed in memory and would uninstall itself after 30 days unless the device was rebooted, prompting the attackers to reinfect it. This is the latest in a series of zero-day vulnerabilities patched by Apple this year, highlighting the ongoing threats faced by iOS devices.
APT15, a Chinese state-sponsored hacking group, has been identified utilizing a new backdoor named ‘Graphican’ in a targeted campaign focusing on foreign affairs ministries in Central and South American countries. This sophisticated backdoor leverages Microsoft Graph API and OneDrive for command and control infrastructure, enabling stealthy operations and resilience against takedowns. Alongside Graphican, APT15 employs a range of tools such as Mimikatz, Lazagne, and web shells, highlighting their continuous improvement in evasive tactics and threat capabilities.
ScarCruft, a state-sponsored North Korean outfit linked to the Ministry of State Security (MSS), has been observed utilizing an information-stealing malware equipped with undocumented wiretapping capabilities, along with a Golang-based backdoor that exploits the Ably real-time messaging service. The group employs spear-phishing lures and custom tools to target specific individuals, including North Korean defectors, human rights activists, and university professors. The recent intrusion involves the use of Microsoft Compiled HTML Help files to deliver a PowerShell malware named Chinotto, which establishes persistence and downloads the AblyGo backdoor, facilitating command-and-control operations for the group.
A critical vulnerability in Cisco Secure Client Software for Windows (formerly AnyConnect Secure Mobility Client) has been discovered, enabling attackers to elevate their privileges to the SYSTEM account. This flaw, identified as CVE-2023-20178, allows threat actors to exploit a specific function of the Windows installer process without requiring user interaction. While Cisco has released security updates to address the issue, proof-of-concept exploit code has recently been published, raising concerns about potential attacks leveraging this vulnerability.
Multinational shipping company UPS has issued a data breach notification to Canadian customers, revealing that their personal information may have been exposed through the company’s online package look-up tools and subsequently exploited in phishing attacks. While initially disguised as a warning about phishing dangers, the UPS letter disclosed that recipients’ names and address information were being used in fraudulent SMS phishing messages. Investigation results indicate that threat actors accessed UPS’ package look-up tools between February 2022 and April 2023 to obtain delivery details, including customers’ contact information. UPS has taken steps to restrict access to sensitive data and is notifying affected individuals to ensure transparency and awareness.
Snack food giant Mondelez, known for brands like Oreo and Milka, has issued a warning to its employees regarding a data breach at law firm Bryan Cave, which provides legal services to Mondelez and other Fortune 500 companies. The breach has impacted more than 50,000 current and former Mondelez employees, compromising personal data such as Social Security numbers, names, addresses, and more. While financial information remains unaffected, Mondelez has offered credit monitoring services to the victims. Mondelez reported that the breach did not occur within its own systems, but rather through unauthorized access to Bryan Cave’s systems.
The Department of Health and Human Services has issued a warning to the healthcare sector regarding a recent ransomware attack on a U.S. cancer center. The attack, carried out by the TimiSoaraHackerTeam (THT) ransomware group, resulted in a significant impact on patient care, including the loss of critical treatment capabilities and the potential exposure of personal health information. THT is believed to have connections to Eastern Europe and China and may be associated with other ransomware groups like DeepBlueMagic and APT 41. Healthcare organizations are urged to patch vulnerable tools and report any signs of THT or ransomware activity to the appropriate authorities.
A non-fungible token (NFT) based card game called Z-ERA has fallen victim to an exploit, resulting in the theft of $285,000, according to blockchain security firm CertiK. The attack involved the deployment of an unverified contract by an externally-owned account (EOA), allowing the attacker to steal 1.8 million ZERA tokens and subsequently sell them. The incident caused the price of the ZERA token to plummet by 99%, impacting approximately 27% of its circulating supply.
The Federal Trade Commission (FTC) has filed a complaint against Amazon, accusing the e-commerce giant of employing dark patterns to trick users into signing up for its Prime program and making it extremely challenging to cancel the automatically-renewing subscriptions. The deceptive techniques allegedly violated consumer protection laws and left customers unknowingly enrolled in costly memberships. In addition, Amazon has agreed to pay $30 million in fines for privacy violations related to its Alexa and Ring services, as well as facing charges of violating the Children’s Online Privacy Protection Act.
Senators Richard Blumenthal and Marsha Blackburn have released a bipartisan letter alleging that TikTok has consistently allowed private data of American users to be stored and accessed in China, despite previous claims by TikTok executives that the data is stored solely in the United States. The letter references press reports documenting misleading assurances made by TikTok regarding the storage location of American user data. The senators highlight a Forbes report indicating that TikTok stored sensitive financial information, including Social Security numbers and tax data, of American creators in China without their knowledge.
In a controversial move, the European Council has proposed amendments to the European Media Freedoms Act (EMFA) that would reduce the level of protections provided to journalists from government surveillance and spyware. The amendments would increase the circumstances in which spyware can be used against journalists and emphasize member states’ sovereignty over national security decisions. Civil society groups have raised concerns that these amendments would limit the ability of the European Union’s Court of Justice to hold member states accountable for hacking into journalists’ phones. The proposed law will now be negotiated with the European Parliament and the European Commission later this year.
In a comprehensive interview, the State Department’s cyberspace ambassador emphasized the need for regulations in artificial intelligence (AI) to prevent its misuse, including the spread of disinformation and cyberattacks. The ambassador also highlighted the importance of countering China’s geopolitical influence by forming alliances and addressing vulnerabilities in internet infrastructure. Additionally, he called for a stronger role for diplomacy and the State Department in the government’s cybersecurity efforts.
Ukrainian cyber police have successfully dismantled a fraudulent investment scam in which cryptocurrency was stolen from Canadian citizens. Operating from call centers in Ukraine, the scammers posed as legitimate cryptocurrency company representatives, convincing victims to install a program on their devices. This allowed the scammers to gain access to victims’ personal computers, crypto wallets, and financial details, ultimately leading to the theft of funds. Ukrainian and Canadian authorities collaborated in the operation, resulting in arrests and the seizure of equipment, with ongoing investigations to uncover additional participants, victims, and the extent of the scam’s profits.