Cyber Briefing 2023.07.11

Welcome to Cyber Briefing, the newsletter that informs you about the latest cybersecurity advisories, alerts, incidents and news every weekday.
First time seeing this? Please subscribe.

The latest in cybersecurity: Apple, VMware, RomCom RAT, NATO, TOITOIN, SCARLETEEL, EdgeRouter, Trinidad and Tobago, Ventia, Shiseido, EU-US Privacy Agreement.

🚨 Cyber Alerts

1. Apple’s Emergency Zero-Day Updates

Apple has released Rapid Security Response (RSR) updates to address a newly discovered zero-day vulnerability impacting fully-patched iPhones, Macs, and iPads. The flaw, identified as CVE-2023-37450, has been actively exploited, prompting Apple to urge all users to install the recommended security fixes. This latest round of emergency patches follows a series of zero-day vulnerabilities that Apple has addressed throughout 2023, highlighting the ongoing need for vigilant security measures on Apple devices.

2. VMware Warns of Critical Flaw

Virtualization technology leader VMware issued a warning on Monday about the public release of exploit code for a pre-authentication remote code execution flaw in its enterprise-focused VMware Aria Operations for Logs product. The release of the exploit code for CVE-2023-20864 underscores the critical need for enterprise network administrators to promptly apply available patches to mitigate the risk.

3. Spear-Phishing Targets NATO with RomCom RAT

Threat actors have launched a spear-phishing campaign aimed at organizations supporting Ukraine and participants of the upcoming NATO Summit. BlackBerry’s Threat Research and Intelligence team uncovered the campaign, which involves the distribution of the RomCom RAT. The attackers impersonated the Ukrainian World Congress and used lure documents to deceive victims into downloading weaponized versions of popular software from a cloned website.

4.TOITOIN: Sophisticated Banking Trojan Targets LATAM

A new banking trojan called TOITOIN has been targeting businesses in the Latin American region since May 2023. Researchers from Zscaler have identified a multi-staged infection chain used in this sophisticated campaign, involving specially crafted modules that carry out malicious activities such as code injection, User Account Control circumvention, and sandbox evasion techniques. The attack begins with phishing emails containing an embedded link to a ZIP archive hosted on an Amazon EC2 instance, leading to the deployment of next-stage payloads and the injection of the TOITOIN Trojan into the “svchost.exe” process. This campaign showcases deceptive phishing techniques and the use of custom-developed modules with various evasion and encryption methods.

5. SCARLETEEL: Advanced Cloud Attack Targeting AWS

A sophisticated and ongoing attack campaign known as SCARLETEEL is intensifying its focus on Amazon Web Services (AWS) Fargate, according to security researchers. The threat actors behind SCARLETEEL have adapted their tools and techniques to bypass security measures, exploiting vulnerable web applications to gain persistence and carry out activities such as data theft and illegal cryptocurrency mining. The attackers leverage JupyterLab notebook containers, AWS credentials, and exploitation frameworks to escalate privileges and gain control over targeted accounts, with a focus on both monetary gain and intellectual property theft.

6. Ubiquiti EdgeRouter Vulnerability Exposed

A Proof-of-Concept (PoC) exploit for the CVE-2023-31998 vulnerability in Ubiquiti EdgeRouter has been made available, allowing potential execution of arbitrary code and interruption of UPnP service. The flaw, impacting EdgeRouters and Aircubes, is a heap overflow issue found in the miniupnpd service and can be exploited by a LAN attacker. While Ubiquiti has released software updates to address the vulnerability, it is important for users to promptly update their devices to mitigate the risk of exploitation.

💥 Cyber Incidents

7. Trinidad and Tobago Cyberattack Disrupts Operations

Trinidad and Tobago’s justice department is grappling with a cyberattack that has caused disruptions in the ministry’s operations. The attack, targeting the Office of the Attorney General and Ministry of Legal Affairs, led to outages and the inability to receive electronically served court documents since June 30. The country’s Ministry of Digital Transformation is investigating the incident in collaboration with cybersecurity experts while providing alternative means of communication for court-related matters.

8. Massive Patient Data Breach at HCA Healthcare

HCA Healthcare Inc., the largest hospital company in the U.S., disclosed a data breach where the personal data of approximately 11 million patients was exposed on an online forum. The breached information included names, email addresses, phone numbers, birth dates, and appointment details, but sensitive data such as clinical records, payment details, passwords, and social security numbers remained secure. The breach was attributed to the theft of externally stored data used for automated email messages, which has now been disabled to prevent further breaches. While investigations are ongoing, HCA has not detected any malicious activity within its networks or operating systems, and it does not anticipate significant operational impacts due to the breach, although such incidents raise concerns about patient privacy and healthcare system disruption in the face of growing cybersecurity threats.

9. Critical Infrastructure Provider Ventia Faces Cyberattack

Ventia, a critical infrastructure services provider operating across defense, electricity, gas, environmental services, and water industries, has experienced a cyberattack that prompted the company to shut down key systems. With over 400 sites in Australia and New Zealand and a large employee base, Ventia has engaged external experts and law enforcement to investigate the incident. While operations continue, the company is closely monitoring its network for any abnormal activity and expects to return to normal in the coming days. The nature and impact of the attack, as well as potential data theft, are yet to be disclosed by Ventia.

10. Data Breach: Shiseido Employees Face Exploitation

Louise, a victim of the data breach at Shiseido, shares her experience of receiving threats from criminals who stole her data and demanded money, even threatening to post naked photos of her online. The breach affected over 500 current and former employees of the cosmetics company. Fraudsters applied for a loan in Louise’s name and contacted her, pretending to be from her bank. When she refused to transfer the money, they became threatening, claiming to know her personal information and vowing to harm her and her family if she didn’t comply.

11. Indonesian Passport Data Breach: Dark Web Sale

The personal information of nearly 35 million Indonesian passport holders has surfaced on the dark web, available for sale at $10,000. The notorious hacktivist Bjorka, who frequently criticizes the Indonesian government and has previously targeted high-profile entities, is behind the data breach. The leaked data includes full names, birthdates, gender, passport numbers, and passport validity dates, with a sample of 1 million records provided as proof of authenticity.

📢 Cyber News

12. EU-US Data Deal: Strengthened Data Privacy

The European Union and the United States have reached a groundbreaking data transfer agreement, reshaping the way digital information can be shared between the continents with a focus on enhanced data privacy. The European Commission will officially recognize the US as a trusted partner for securing European citizen data, while the US has committed to stringent data privacy protections, including limited access by American intelligence services to only necessary and proportionate data. This agreement will facilitate transatlantic digital trade worth trillions of dollars, benefiting numerous companies and bringing legal certainty to data flows.

13. Mozilla’s Quarantined Domains: Enhanced Add-on Security

Mozilla has unveiled Quarantined Domains, a new feature that allows certain add-ons to be blocked from running on specific websites. The move aims to address security concerns and prevent malicious actors from exploiting the openness of the add-on ecosystem. While users will have more control over the add-on settings in future Firefox versions, security researcher Jeff Johnson highlighted the need for better user interface design, as the warning alerts no longer appear in the Extensions popup when an add-on is pinned to the toolbar. In addition, Mozilla has criticized France’s proposed website blocking initiative, emphasizing the potential risks it poses to content moderation norms and censorship circumvention tools.

14. Windows 11 EOS: Update & Support Alert

Microsoft has issued a warning to customers that multiple editions of Windows 11, version 21H2, will reach the end-of-service (EOS) in three months’ time, on October 10, 2023. The affected editions include Home, Pro, Pro Education, and Pro for Workstations. After the EOS date, these editions will no longer receive security updates, prompting Microsoft to direct customers to update their devices to the latest version of Windows 11 for continued support. Additionally, Windows 11 22H2 (the Windows 11 2022 Update) is being force-installed on systems currently running Windows 11 21H2, which is nearing its EOS date.

15. TPG Acquires Forcepoint’s G2CI Unit for $2.5B

Private equity firm TPG has announced its plans to acquire Forcepoint’s Global Governments and Critical Infrastructure (G2CI) business unit in a deal estimated to be worth around $2.5 billion. The G2CI unit, initially established in 2018 as Forcepoint’s government cybersecurity division, will be spun out as an independent entity, focusing on enhancing the company’s data-first Secure Access Service Edge (SASE) offering with new capabilities and third-party integrations. Francisco Partners, the previous owner of Forcepoint, will retain a minority stake in the government-focused unit while continuing to operate Forcepoint’s commercial cybersecurity business separately.