Cyber Briefing: 2023.08.07
👉 What’s happening in cybersecurity today? hVNC Malware, MacOS, Apple, Reptile Rootkit, South Korea, Microsoft Power Platform, Team R70, Chhattisgarh State Biodiversity Board, Aristocrat, NDT SEC, Delta Electronics, VMConnect, Black Basta Ransomware, Capita, FCC.
Welcome to Cyber Briefing, the newsletter that informs you about the latest cybersecurity advisories, alerts, incidents and news every weekday.
First time seeing this? Please subscribe.
🚨 Cyber Alerts
1. Rising hVNC Malware Targeting macOS
A recently discovered hVNC tool for hacking macOS systems has been causing concern among security experts. This malicious software, sold on a Russian cybercrime forum, provides threat actors with remote control over infected machines, posing a risk to sensitive data such as credentials and financial information. The actor behind this, known as ‘RastaFarEye,’ has a history of cybercriminal activity and offers an extended range of malicious capabilities with an additional fee. As this new malware trend emerges, users are advised to update their macOS versions and exercise caution when downloading software to prevent falling victim to these stealthy attacks.
2. Reptile Rootkit Targeting Linux
In a recent report by AhnLab Security Emergency Response Center (ASEC), an open-source rootkit known as Reptile is being exploited by threat actors to target Linux systems in South Korea. Going beyond typical rootkit functionalities, Reptile offers a reverse shell, enabling threat actors to gain control over compromised systems. The malware employs port knocking techniques, opening specific ports on infected systems to establish connections with command and control servers, allowing for stealthy communication. The advanced capabilities of Reptile have been utilized in at least four distinct campaigns since 2022, highlighting its significant impact on the threat landscape.
3. NPM Packages Exfiltrate Sensitive Data
Researchers have identified a series of malicious packages on the npm package manager designed to extract sensitive developer information. Phylum researchers noticed ten “test” packages published on npm on July 31, 2023, which were created to exfiltrate confidential source code and other vital data. These packages, all attributed to the same user malikrukd4732, include files that trigger the execution of code leading to data exfiltration. The malicious script collects various details, creates ZIP archives, and attempts to upload them to an FTP server, potentially exposing sensitive credentials of developers. This revelation underlines the critical importance of trusting dependencies and remaining vigilant against such targeted attacks within the developer community.
4. Advancements in STRRAT Malware
Cyble Research And Intelligence Labs (CRIL), the notorious STRRAT malware has evolved yet again with the introduction of version 1.6, showcasing a novel infection technique. The updated method starts with a convincing spam email containing a malicious PDF attachment, and upon opening, triggers the download of an encrypted payload disguised as a ZIP file. STRRAT’s adoption of dual string obfuscation techniques, Zelix KlassMaster (ZKM) and Allatori, further complicates analysis and detection, emphasizing the determination of threat actors to stay ahead of cybersecurity measures. With over 70 samples of STRRAT version 1.6 detected, it’s clear that cybercriminals are continuously refining their tactics to remain a persistent and potent threat.
5. Microsoft’s Delayed Response to Power Platform Flaw
Microsoft has taken steps to rectify a crucial security flaw in its Power Platform, a move that drew attention due to the delay in addressing the issue. The vulnerability, which could have resulted in unauthorized access to Custom Code functions, raised concerns about the potential exposure of sensitive information. Despite the absence of active exploitation, the situation prompted discussions about the need for effective communication and swift action in the face of cybersecurity threats.
6. Unauthenticated RCE Threats in PaperCut Software
PaperCut’s NG/MF print management software has resolved a significant vulnerability enabling unauthenticated attackers to achieve remote code execution on unpatched Windows servers. This flaw, tracked as CVE-2023–39143, stems from two path traversal weaknesses discovered by Horizon3 security researchers, which can be exploited for low-complexity attacks without user interaction, potentially granting threat actors unauthorized access to manipulate files. While the vulnerability particularly affects non-default server configurations with external device integration enabled, a majority of Windows PaperCut servers are believed to have this setting active, emphasizing the need for prompt attention and patching to mitigate potential risks.
💥 Cyber Incidents
7. Cyber Attack on Biodiversity Board
Hacktivist group ‘Team R70’ has claimed responsibility for defacing the Chhattisgarh State Biodiversity Board’s website, though official confirmation is pending. The biodiversity board, based in central India, is dedicated to conserving the region’s rich biodiversity and promoting sustainable development. The cyber attack underscores the growing trend of hackers collaborating to target websites, highlighting the broader implications of geopolitical tensions on organizations and individuals alike.
8. Gaming Giant’s Data Breach
Aristocrat, a global gaming content and technology company, is reeling from a devastating cyber attack that resulted in a data breach. Hackers exploited a zero-day vulnerability in third-party file-sharing software, MOVEit, to access and extract sensitive information, including employee data, from the company’s servers. Despite reassurances of low business impact, Aristocrat is taking proactive measures, collaborating with law enforcement, and deploying independent security experts to mitigate the fallout from this alarming breach.
9. Thailand’s Delta Electronics Hit by NDT SEC
In a recent cyber attack attributed to the NDT SEC hacking group, Delta Electronics’ website in Thailand was reportedly targeted, causing concerns about potential data compromise. Despite the group claiming responsibility, the company’s website remains operational, leaving the extent of the breach uncertain. The NDT SEC hacking group, known for its bold cyber attacks and proactive sharing on platforms like Telegram, has previously targeted various organizations, highlighting their ongoing digital exploits in the cybersecurity realm.
10. Higher Education Department Hit by Data Breach
The Colorado Department of Higher Education (CDHE) has announced a potential data breach affecting certain individuals. The breach, which occurred between June 11 and June 19, 2023, exposed sensitive personal data, including names, social security numbers, and education records. CDHE is actively investigating the incident and implementing enhanced cybersecurity safeguards while offering impacted individuals complimentary credit monitoring and identity theft protection services through Experian for two years. As the investigation continues, those potentially affected by the breach are urged to remain vigilant against identity theft and fraud, review account statements, and monitor their credit reports for any suspicious activity. Further information and assistance can be found on CDHE’s website or hotline.
📢 Cyber News
11. Malicious PyPI Packages Deceive IT Experts
In an alarming discovery, a malicious package masquerading as the legitimate VMware vSphere connector module ‘vConnector’ has been found on the Python Package Index (PyPI) under the name ‘VMConnect.’ This deceptive package specifically targets IT professionals, potentially exposing their systems to serious risks. The fraudulent package, which mimics the real vConnector, was downloaded 237 times before its removal, raising concerns about the security of virtualization tools used by developers and system administrators.
12. Lawsuit Claims Hospital Shared Patient Data
A Seattle-area hospital is accused of integrating Facebook’s online tracking tools into its website, resulting in the sharing of personal health data belonging to hundreds of thousands of individuals with Meta and other third parties. The plaintiff alleges that the hospital’s website contained code that allowed Meta to capture patient information from their interactions with doctors and health service requests. This lawsuit raises concerns about privacy and security risks associated with website tracking technologies and underscores potential implications for sensitive user information.
13. Capita’s £68M Loss Linked to Cyber Incident
The outsourcing firm Capita anticipates a financial impact of up to £25 million due to a cyber-attack orchestrated by the Black Basta ransomware group, leading to a pre-tax loss of nearly £68 million in the first half of the year. The attack targeted Capita’s Microsoft Office 365 software, compromising the personal data of its employees and clients. While the breach affected less than 0.1% of its server estate, Capita’s ongoing recovery efforts have incurred substantial costs, including data analysis, recovery, cybersecurity enhancement, and remediation.
14. FCC Imposes Huge Fine for Robocall Scam
In a groundbreaking move, the Federal Communications Commission (FCC) has announced an extraordinary fine of $300 million levied against an international network of companies responsible for inundating over 500 million phone numbers with an astonishing five billion robocalls during a mere three-month span in 2021. The fined entities, operating under names like Sumco Panama, Virtual Telecom, and Davis Telecom, engaged in a litany of violations, from unauthorized telemarketing calls to violating the National Do Not Call Registry. Employing caller ID spoofing tools to obfuscate their origin, these calls even managed to generate a now-infamous meme. The FCC has not only issued this staggering fine but has also enforced aggressive measures to halt these activities, marking a significant milestone in the fight against rampant robocall abuse.
15. Nigerian Guilty in $1.25M Email Scam
Nigerian National Onwuchekwa Nnanna Kalu, pleaded guilty to orchestrating a $1.25 million business email compromise (BEC) scam targeting a Boston-based investment firm. Kalu’s guilty plea, announced by U.S. Attorney Matthew M. Graves and Acting Special Agent in Charge David Geist of the FBI Washington Field Office’s Criminal and Cyber Division, highlights the scheme’s intricate nature. The fraudulent operation involved malware installation, spoofed email domains, and the diversion of funds to overseas bank accounts, resulting in a stark reminder of the dangers posed by BEC scams to businesses and institutions alike.
Subscribe and Comment.
Copyright © 2023 CyberMaterial. All Rights Reserved.
Follow CyberMaterial on:
LinkedIn, Twitter, Reddit, Instagram, Facebook, YouTube, and Medium.
