In today’s edition: WinRAR, Zero-Day, Neanderthals, Russia, Telegram, Phishing Toolkit, Whiffy Recon, Malware, WiFi, Lazarus APT, Zoho, Jupiter X, WordPress, NVIDIA, Discord Data Breach, Pôle Emploi, France, Exactly Protocol and Harbor Protocol Heist, Lockbit Ransomware, Stockwell Harris, DHS, AI, Knicks Sue Raptors, Ransomware on the Rise, SpyCloud.
Hackers have taken advantage of a zero-day vulnerability in the widely used WinRAR archiving tool to target traders and steal funds. The flaw, identified by cybersecurity firm Group-IB, allows hackers to embed malicious scripts within seemingly harmless archive files, effectively compromising victims’ machines. These malicious ZIP archives have been circulating on specialized trading forums since April, spreading across at least eight platforms. Once the malware-laced files are opened, hackers gain unauthorized access to brokerage accounts, potentially leading to illicit financial transactions and fund withdrawals.
Cybercriminals have introduced a sophisticated phishing toolkit called Telekopye, merging the power of Telegram and the term “kopye” (meaning “spear” in Russian). This toolkit enables the automated creation of phishing web pages using pre-designed templates, with the URLs distributed to potential victims, referred to as Mammoths by the attackers. Originating from Russia, these threat actors, dubbed Neanderthals, have been utilizing Telekopye since at least 2015 to orchestrate elaborate phishing attacks that involve building trust, sharing deceptive links, and siphoning off funds from victims through fraudulent credit/debit card gateways, with the proceeds laundered via cryptocurrency.
Cybercriminals have unleashed a new malware, Whiffy Recon, within the Smoke Loader botnet, employing it to pinpoint infected devices via WiFi scanning and Google’s geolocation API. This technique enables triangulation accuracy ranging from 20 to 50 meters, facilitating location tracking for targeted attacks or intimidation purposes. By utilizing the geographic coordinates returned by Google’s service, the malware crafts comprehensive reports about access points and sends them to the threat actor’s command and control server every minute, potentially allowing near-real-time tracking of compromised devices.
Lazarus APT group, linked to North Korea, has taken advantage of a critical vulnerability within Zoho ManageEngine ServiceDesk Plus, identified as CVE-2022-47966, to distribute the QuiteRAT malware. Focusing their efforts on an Internet backbone infrastructure provider and healthcare organizations across Europe and the United States, the state-sponsored hackers acted swiftly after public disclosure of proof-of-concept (PoC) exploits. The group harnessed the flaw to deploy the QuiteRAT malware, exhibiting similarities to the MagicRAT malware employed by the Lazarus Group, albeit with a considerably smaller file size, both leveraging the Qt framework to support remote command execution.
Two critical vulnerabilities have been found in Jupiter X Core, a premium plugin widely used for WordPress and WooCommerce website setups. These vulnerabilities allow attackers to take control of user accounts and upload files without authentication. With a severity rating of 9.0 and affecting versions 3.3.5 and below, the first vulnerability (CVE-2023-38388) enables arbitrary code execution through unauthenticated file uploads. The second flaw (CVE-2023-38389), with a severity score of 9.8, permits unauthenticated attackers to compromise WordPress user accounts based on knowing the email address, which can potentially lead to severe site breaches.
Significant vulnerabilities within NVIDIA’s D3D10 driver’s shader functionality have been disclosed. The vulnerabilities, labeled TALOS-2023-1719 (CVE-2022-34671), TALOS-2023-1720 (CVE-2022-34671), and TALOS-2023-1721 (CVE-2022-34671), with a CVSS severity rating of 8.5, can lead to memory corruption when a specially crafted shader packer is sent. These issues could be exploited from virtualization environments or even web browsers using WebGL and WebAssembly, raising concerns about guest-to-host escape attacks. Talos collaborated with NVIDIA to address these vulnerabilities, ensuring an update is available for affected users, in line with Cisco’s disclosure policy.
Starting Monday, Discord has begun the process of notifying users who were affected by a data breach that occurred earlier this year. The breach originated from a security compromise at a third-party service provider on March 29, where a customer support agent’s account was compromised. Attackers gained access to user email addresses, messages exchanged with Discord support, and support ticket attachments. Discord took immediate action to address the incident, deactivating the compromised account promptly. Only 180 users had sensitive personal information exposed in the attack, as stated in breach notices filed with the Office of Maine’s Attorney General.
The French national employment agency, Pôle Emploi, has fallen victim to a cyber-attack that could potentially jeopardize the personal information of up to 10 million individuals. Security experts have traced the breach to the Clop ransomware gang’s MOVEit campaign, which has already impacted a substantial number of organizations and individuals globally. The breach has raised concerns about the exposure of critical data, including names, employment statuses, and social security numbers, for both current and former registrants of the agency. The breach’s suspected origin lies within the IT systems of Majorel, one of Pôle Emploi’s data processing contractors.
Recent days have witnessed a series of high-stakes cyberattacks on cryptocurrency platforms, resulting in the theft of millions of dollars’ worth of digital currency. Two platforms, Exactly Protocol and Harbor Protocol, have been targeted, prompting both to suspend their operations and caution users about potential losses. While Exactly Protocol is actively investigating the security breach that led to a reported theft of over $12 million, blockchain security experts believe the losses could be closer to $7 million. Harbor Protocol, on the other hand, faced its own attack, with funds being drained from the DeFi tool, leaving users frustrated by the lack of communication about the extent of the breach.
The Lockbit ransomware group has targeted Stockwell Harris Law, a leading legal firm specializing in California’s Workers’ Compensation defense. The group’s ominous post, marked with a timestamp, directly implicated the law firm in the breach, alleging negligence in safeguarding sensitive data. The breach reportedly exposed crucial legal information, prompting investigations while underscoring the increasing threats posed by ransomware groups like Lockbit in various sectors, including the legal and healthcare fields.
The Department of Homeland Security’s Customs and Border Protection agency has procured software from Fivecast, an AI company specializing in detecting “sentiment and emotion” in online content, according to documents obtained by 404 Media. CBP employs this technology to analyze open-source information related to travelers who may pose a threat to public safety, national security, or lawful trade and travel. Fivecast’s software, which also offers AI-enabled object recognition and risk term detection, boasts the ability to collect targeted data from major social platforms like Facebook, Reddit, and smaller communities such as 4chan and 8kun.
The New York Knicks have filed a lawsuit against the Toronto Raptors, asserting that a former Knicks employee stole valuable scouting reports and proprietary data to aid the Raptors. The lawsuit targets both the Raptors organization and their head coach, Darko Rajaković, along with the former employee, Ikechukwu Azotam. The Knicks claim that Azotam used his position within their organization to funnel information to the Raptors, impacting their coaching and video staffs and leading to over 2,000 unauthorized accesses to the stolen files by the Raptors defendants.
Ransomware attacks that target individuals and small businesses are on the rise. The Adhubllka ransomware, analyzed by Netenrich researchers, specifically targets regular people and small enterprises, demanding ransoms ranging from $800 to $1,600. Ransomware gangs are increasingly opting for victims who may lack the technical expertise to effectively respond to attacks, often adapting existing ransomware codebases to evade detection. While larger attacks receive media attention, there’s a growing trend of ransom demands under $1,700 from groups like Dharma, Phobos, and Stop/Djvu, emphasizing the need for broader awareness and cybersecurity measures.
HP Wolf Security’s data from April to June 2023 indicates that cybercriminals are creatively combining well-known attack methods to outsmart security systems. Notably, attackers are employing diverse programming languages within the same attack, such as using Go for encryption and C++ to interact with operating systems, enabling them to launch .NET malware in memory. This report underscores the adaptability of cybercriminals and emphasizes the shifting landscape of cybersecurity challenges, particularly as the threat vectors remain email and browser downloads, with attackers exploiting vulnerabilities in seemingly simple yet effective ways.
SpyCloud has successfully raised $110 million in a growth round led by Riverwood Capital, a prominent investor in fast-growing technology companies. Renowned across various industries, including half of the Fortune 10, SpyCloud’s innovative platform safeguards against cybercrimes like ransomware, session hijacking, account takeover, and online fraud. By leveraging its unique technology that captures and analyzes data from the criminal underworld, SpyCloud takes a fresh approach to combating cyber threats, offering value to identity threat detection, endpoint protection, zero trust frameworks, and more.
Subscribe and Comment.
Copyright © 2023 CyberMaterial. All Rights Reserved.
Follow CyberMaterial on: