Cyber Briefing: 2023.07.07
The latest in cybersecurity: Google Play, Truebot Malware, Cisco Switches, Microsoft Defender, Android, Shell, MOVEit, UConn, Multichain, China, Ransomware, Node4.
Welcome to Cyber Briefing, the newsletter that informs you about the latest cybersecurity advisories, alerts, incidents and news every weekday.
First time seeing this? Please subscribe.
🚨 Cyber Alerts
1. Malicious Apps Stealing User Data on Google Play
Security researchers have uncovered two file management applications on Google Play that have amassed over 1.5 million installations, but are secretly collecting excessive user data beyond what is necessary for their stated functionality. The apps, both from the same publisher, can launch without user interaction and send the stolen data to servers in China. Despite being reported to Google, the apps are still available on Google Play, posing a significant risk to users’ privacy.
2. New Truebot Malware Threat Targets US and Canada
CISA and the FBI have issued a warning regarding the emergence of new Truebot malware variants that are being deployed in attacks targeting organizations across the United States and Canada. The malware is being spread through a critical remote code execution vulnerability (CVE-2022–31199) in the Netwrix Auditor software, allowing unauthorized attackers to execute malicious code with system-level privileges. Truebot is associated with the Silence cybercrime group and is used to deploy Clop ransomware on compromised networks, while the TA505 group utilizes the FlawedGrace Remote Access Trojan for privilege escalation.
3. JumpCloud Invalidates API Keys in Ongoing Incident
JumpCloud, a leading enterprise software firm based in the US, has issued notifications to several customers regarding an ongoing incident. As a precautionary measure, the company has invalidated existing admin API keys and advised affected organizations to generate new keys for protection. With over 180,000 organizations in more than 160 countries relying on its cloud-based directory-as-a-service platform, JumpCloud’s response aims to safeguard customer operations amidst the investigation.
4. Cisco warns of switch vulnerability
Cisco has alerted customers to a high-severity vulnerability that affects certain data center switch models, enabling attackers to manipulate encrypted traffic. Tracked as CVE-2023–20185, the flaw was discovered during internal security testing of the ACI Multi-Site CloudSec encryption feature in Cisco Nexus 9000 Series Fabric Switches. The vulnerability specifically impacts Cisco Nexus 9332C, 9364C, and 9500 spine switches in ACI mode, as well as firmware 14.0 and later releases. Attackers can exploit this flaw to intercept and modify intersite encrypted traffic remotely.
5. Microsoft Fixes LSA Protection Issue in Update
Microsoft has acknowledged that Windows 11 21H2 and 22H2 systems are affected by an issue causing false warnings about LSA Protection being turned off, despite the feature being enabled. LSA Protection is designed to safeguard users from credential theft, making the warnings concerning. Microsoft has released an update to address this issue and advises affected users to check for updates or wait for the automatic installation.
6. Google Fixes 46 Android Vulnerabilities, Addresses Exploits
Google has rolled out its latest batch of monthly security updates for the Android operating system, addressing a total of 46 vulnerabilities. Three of the vulnerabilities, including CVE-2023–26083, CVE-2021–29256, and CVE-2023–2136, are believed to be actively exploited in targeted attacks. Notably, CVE-2023–26083 was used in a December 2022 exploit chain that delivered spyware to Samsung devices.
7.Equestrian Platform Hacked: 10K Data Exposed
The little-known Australian company Event Secretary, used by major horse riding organizations for bookings and competitions, has suffered a cyber attack resulting in the theft and publication of personal data belonging to 10,000 individuals. The criminals claim to have accessed names, email addresses, residential addresses, phone numbers, and bank details of the victims. Event Secretary did not respond to ransom demands, leading the hackers to publish the data nearly a year after the initial breach. This incident adds to a string of cyber attacks on Australian firms, including PwC, HWL Ebsworth, Latitude, Medibank, and Optus, highlighting the growing threat of cybercrime in the country.
8. Shell Employee Data Compromised: Cyber Attack
Energy giant Shell has acknowledged that personal information belonging to its employees has been compromised following the recent MOVEit Transfer hack. The attack, orchestrated by the Cl0p ransomware group, exploited a zero-day vulnerability in the MOVEit managed file transfer (MFT) product, affecting at least 130 organizations and impacting an estimated 15 million individuals. Shell, among the first organizations named by the cybercrime gang, clarified that the MFT software was used by a small number of its employees and customers. The extent and nature of the compromised information remain unclear, but Shell has taken immediate steps to notify affected individuals and provide toll-free phone numbers for further assistance in multiple countries.
9. UConn Targeted: Hackers Spoof Emails
A covert group of hackers, known as SiegedSec, made headlines for infiltrating government agency networks in states with anti-transgender legislation. Now, the group has claimed a new target: the University of Connecticut. The hackers sent spoof emails, including one falsely announcing the “Unfortunate Passing of Radenka Maric,” leaving students initially shocked and concerned. While some saw the incident as an absurdity and shared memes, others questioned the university’s vulnerability to cyber attacks and potential risks to personal data.
10. MultiChain Exploit: $130M Token Loss
Cross-chain router protocol Multichain has fallen victim to an exploit resulting in the loss of nearly $130 million as an attacker drained funds from multiple token bridges. The unexpected outflows from Multichain’s Fantom bridge, involving major cryptocurrencies like wBTC, USDC, and USDT, alarmed industry experts and triggered concerns of a possible hack. Multichain is currently investigating the incident, while on-chain sleuths and the crypto community closely monitor the situation.
11. China’s Counter-Espionage Law: Business Implications
China implemented a new Counter-Espionage Law on July 1, granting authorities extensive powers to investigate and seize property of companies operating in China. The law aims to safeguard national security by targeting cyberattacks, espionage activities, and obstruction of government functions. U.S. businesses face growing uncertainty as the revised law and recent raids on Western firms by Chinese authorities increase risks and market uncertainty, potentially impacting foreign investment and supply chains.
12. Record-Breaking Cyber Reports & Resilient UK Businesses
According to the latest report from the UK’s National Cyber Security Centre (NCSC), British businesses and citizens reported a staggering 7.1 million suspicious emails and URLs in 2022, equivalent to one every five seconds. These reports led to the direct removal of nearly a quarter of a million malicious URLs from the internet. The report highlights the success of the NCSC’s Active Cyber Defence (ACD) program, which takes a “whole-of-society” approach to cybersecurity and prevents high-volume cyber attacks from reaching UK organizations and citizens.
13. Onix Group Faces Lawsuits After Ransomware Attack
A Pennsylvania-based real estate firm, Onix Group, is facing three proposed federal class action lawsuits following a ransomware attack in May. The attack compromised sensitive information of 319,500 individuals, including patient data from addiction treatment centers. The lawsuits allege negligence on the part of Onix Group for failing to adequately protect personal information from unauthorized access, seeking monetary damages and an injunctive order to improve information security practice.
14. Node4 Acquires ThreeTwoFour: Security Expansion
Node4, a technology solutions provider, has announced the acquisition of ThreeTwoFour, a specialist in information security and technology risk. This marks Node4’s third significant growth purchase in the last 18 months, expanding its capabilities in security and transformation. The acquisition enhances Node4’s suite of information security services and broadens its reach, particularly in the financial services sector, while also equipping the company to meet the increasing demands for effective cyber security solutions in the public sector and government frameworks.
15. Former Amazon Manager: 16-Year Sentence
Kayricka Wortham, a former operations manager at an Amazon warehouse in Georgia, has been sentenced to 16 years in prison for stealing over $9.4 million from Amazon.com. Wortham, along with six other individuals, participated in a fraudulent scheme involving fake vendors and fictitious invoices. Wortham used her position to input fake vendor data into Amazon’s system and approved payments for these invoices, resulting in the company paying out millions of dollars to her and her accomplices.
