Cyber Briefing: 2023.07.28

CyberMaterial
8 min readJul 28, 2023

--

👉 What are the latest cybersecurity alerts, incidents, and news? Ninja Forms, WordPress, Zimbra Vulnerability, Nitrogen Malvertising Campaign, Mirai Botnet, Cryptocurrencies, Mysterious Elephant, Maximus, DepositFiles, UK, Switzerland, Schengen Visa, Kenya, Credentials, Cryptojacking, China, Ukraine, SSNDOB Marketplace.

Welcome to Cyber Briefing, the newsletter that informs you about the latest cybersecurity advisories, alerts, incidents and news every weekday.

First time seeing this? Please subscribe.

🚹 Cyber Alerts

1. Critical WordPress Plugin Vulnerabilities

In a recent security advisory, it has been revealed that Ninja Forms, a widely-used forms builder plugin for WordPress with over 900,000 active installations, is plagued by multiple high-severity vulnerabilities. Among them is a POST-based reflected Cross-Site Scripting (XSS) flaw, which could enable unauthorized users to execute malicious code or steal sensitive information from affected WordPress sites. Additionally, broken access control issues were discovered on the form submissions export feature, allowing Subscriber and Contributor level users to access all Ninja Forms submissions regardless of their intended privileges. Users are strongly urged to update their plugins to version 3.6.26 to protect their websites from potential exploitation.

2. New Nitrogen Malvertising Campaign

A new malvertising campaign, named Nitrogen, has been discovered utilizing ads on Google Search and Bing to target users seeking popular IT tools like AnyDesk, Cisco AnyConnect VPN, and WinSCP. The attackers trick users into downloading trojanized installers, intending to breach enterprise networks and potentially carry out future ransomware attacks. This opportunistic campaign deploys second-stage attack tools, such as Cobalt Strike, to gain remote access and execute code on infected systems, all while masking their malicious activities using uncommon export forwarding and DLL preloading techniques. The surge in cybercriminals employing paid advertisements to lure users to malicious sites underscores the urgency for organizations to be vigilant against these sophisticated threats and implement robust cybersecurity measures.

3. Zimbra Security Fix, CISA Alerts Agencies

Zimbra has taken action by releasing security updates to address a zero-day vulnerability in their Collaboration Suite (ZCS) email servers that was exploited in targeted attacks. The vulnerability, identified as CVE-2023–38750, is a reflected Cross-Site Scripting (XSS) flaw discovered by Google Threat Analysis Group’s ClĂ©ment Lecigne. Such XSS attacks can lead to the theft of sensitive data or the execution of malicious code on vulnerable systems. Although initially not disclosed as an active exploit, it was later revealed that the vulnerability was discovered during a targeted attack.

4. Mysterious Elephant and Lazarus Cyber Threats

In the second quarter of 2023, a new malicious actor named “Mysterious Elephant” emerged in the Asia-Pacific region, drawing attention from cybersecurity firm Kaspersky. This threat actor stands out with its unique combination of new backdoor families and distinctive tactics, techniques, and procedures (TTPs), while also sharing some similarities with known threat actors like Confucius and SideWinder. Additionally, the report sheds light on the “Operation Triangulation” campaign, revealing a previously unknown iOS malware platform distributed through zero-click iMessage exploits.

5. Mirai Malware Targets Tomcat Servers

In a new campaign, Aqua detected over 800 attacks against its Tomcat server honeypots, with 96% linked to the notorious Mirai botnet. The threat actors targeted misconfigured and poorly secured Apache Tomcat servers, attempting to gain access through brute-force attacks on the web application manager. Once successful, they deployed a malicious web shell class named ‘cmd.jsp’ to execute arbitrary commands, including downloading and running a shell script called “neww,” which launches the final stage malware — a variant of the Mirai botnet used for orchestrating distributed denial-of-service (DDoS) attacks and cryptocurrency mining. To combat this ongoing campaign, organizations are urged to secure their environments and maintain strong credential hygiene.

đŸ’„ Cyber Incidents

6. Maximus Reveals Data Breach Impacting 11M

In a recent Form 8-K filing with the US Securities and Exchange Commission, Maximus, a government services provider, confirmed that the personal information of up to 11 million individuals was stolen in the MOVEit cyberattack earlier this year. The attack, exploiting a zero-day vulnerability in the MOVEit Transfer managed file transfer software, affected 513 organizations, with approximately 35 million individuals’ data being stolen in the malicious campaign, as reported by cybersecurity firm Emsisoft. The stolen information included sensitive details such as Social Security numbers, and Maximus estimates the costs of investigation and remediation to reach around $15 million for the quarter ended June 30, 2023.

7. Security Breach at DepositFiles

In a recent cyber attack, popular web hosting service DepositFiles had its environment configuration file exposed, revealing a treasure trove of highly sensitive credentials. Researchers discovered that the file contained Redis database credentials, email credentials, payment system credentials, and even social media account credentials. This extensive data leak poses significant risks to DepositFiles’ users and the company itself, potentially enabling cybercriminals to carry out DDoS attacks, deploy ransomware, and cause severe financial losses. With critical information accessible, the company faces challenges in safeguarding user privacy and official communication channels, making it a major security concern.

8. UK Swiss Visa Appointments Canceled Due to IT Issue

All Swiss (Schengen) tourist and transit visa appointments have been canceled in the UK due to an “IT incident” at TLScontact, the Swiss government’s chosen IT provider for visa applicants. The incident affected centers in London, Manchester, and Edinburgh, leaving applicants stranded and uncertain about their travel plans. As the company handles sensitive personal information of millions of visa applicants worldwide, the incident raises concerns about the security of IT systems in visa processing agencies.

9. Ambulance Trusts Cyber Attack

Two major ambulance trusts, South Central Ambulance Service (SCAS) and South Western Ambulance Service (SWASFT), serving a combined population of 12 million people, are facing a critical situation as they have been cut off from their electronic patient records due to a cyber attack. The incident targeted a third-party technology company, Ortivus, which both trusts relied on for crucial medical information. While patient care is still being prioritized, ambulances are attending emergencies without access to essential medical history, such as allergies, health incidents, and medications, resulting in potential delays in treatment. NHS England is actively investigating the matter alongside law enforcement agencies to resolve the issue and reconnect the vital systems.

10. Anonymous Sudan Hackers Target Kenya

ICT Cabinet Secretary Eliud Owalo has confirmed that the government’s online services experienced a cyber attack, with hackers identifying themselves as Anonymous Sudan. Mr. Owalo stated that although the attack affected the platform’s accessibility, no data was lost, and the government is actively working to resolve the issue. He emphasized the need for an elaborate risk mitigation framework and assured Kenyans that their data is safe. Anonymous Sudan, on social media, claimed to target more government digital services, while the CS reassured the public that the portal would return to normalcy soon.

📱 Cyber News

11. Valid Credentials Most Common Attack Vector

In a comprehensive report released by the Cybersecurity and Infrastructure Security Agency (CISA), it has been revealed that hacker abuse of valid credentials is the primary method employed in slightly over 50% of critical infrastructure attacks that occurred over a year-long period. The report points to poor employee offboarding processes as a major culprit, allowing dormant accounts to linger in active directories and default administrator accounts as a prime target, making up the majority of successful attacks. Spear-phishing, a social engineering technique, also played a significant role, accounting for about one-third of successful breaches. The findings underscore the importance of robust cybersecurity measures, including multifactor authentication and vigilant offboarding processes to combat evolving cyber threats.

12. Rise of Cryptojacking in 2023

In SonicWall’s 2023 Mid-Year Cyber Threat Report, the company highlights the escalating global cyber threat landscape, with cybercriminals shifting towards cryptojacking and other stealthy tactics to bypass traditional defenses. The decline in ransomware attempts (-41%) has been countered by a significant increase in cryptojacking (+399%), IoT malware (+37%), and encrypted threats (+22%). These financially motivated threat actors have become more opportunistic, targeting schools, local governments, and retail organizations with higher success rates. The report emphasizes the importance of advanced countermeasures and the need for organizations to bolster their defenses against evolving malicious activities.

13. US Senator Demands Probe into China Hack

In a letter addressed to the Justice Department, Federal Trade Commission, and Cybersecurity and Infrastructure Security Agency (CISA), U.S. Senator Ron Wyden (D-OR) urged an investigation into the recent hack of Microsoft-provided email accounts used by high-ranking government officials. The breach allegedly involved Chinese government hackers infiltrating the email accounts of officials, including U.S. Commerce Secretary Gina Raimondo and U.S. Ambassador to China Nicholas Burns, before their visit to China. Senator Wyden criticized Microsoft for its security practices and called for accountability through a whole-of-government effort.

14. Teen Arrested in Exam Board Cyber Attacks

In a recent development, a 16-year-old boy from Hertfordshire has been arrested by the police in connection with cyber attacks on exam boards Pearson and OCR. The incident involved the unauthorized extraction and sale of exam papers from their systems. The boy was apprehended on suspicion of theft, fraud by false representation, and computer misuse. While he has been released on bail until early October, Surrey Police is also conducting an investigation into a separate allegation of fraud and computer misuse at England’s largest exam board, AQA. The exam boards’ governing body, the Joint Council for Qualifications, stated that severe sanctions would be imposed on anyone found involved in such security breaches after investigations are completed.

15. Ukrainian Pleads Guilty to Cyber Fraud

In a major cybercrime case, Vitalii Chychasov, a Ukrainian man, has admitted guilt in a conspiracy to commit access device fraud and trafficking in unauthorized access devices through the now-defunct SSNDOB Marketplace. As the administrator of the marketplace, Chychasov facilitated the sale of sensitive personal information of 24 million individuals in the United States, including their full names, dates of birth, and Social Security Numbers (SSNs), generating over $19 million in sales revenue. His actions have contributed to various frauds, such as tax fraud, unemployment insurance fraud, loan fraud, and credit card fraud. Chychasov was arrested and extradited to the U.S., facing a potential maximum imprisonment penalty of 15 years and agreeing to forfeit $5 million in estimated crime proceeds.

Subscribe and Comment.

Copyright © 2023 CyberMaterial. All Rights Reserved.

Follow CyberMaterial on:

LinkedIn, Twitter, Reddit, Instagram, Facebook, YouTube, and Medium.

--

--

CyberMaterial

World's #1 Cybersecurity Repository of data. Subscribe to Cyber Briefing.