InfoSec News 20230525
Top News
-
‘Operation Magalenha’ targets credentials of 30 Portuguese banks
"A Brazilian hacking group has been targeting thirty Portuguese government and private financial institutions since 2021 in a malicious campaign called 'Operation Magalenha.'
Examples of the targeted entities include ActivoBank, Caixa Geral de Depósitos, CaixaBank, Citibanamex, Santander, Millennium BCP, ING, Banco BPI, and Novobanco.
This campaign was exposed by a Sentinel Labs report highlighting the tools used by the threat actor, the various infection vectors, and their malware distribution methods.
The analysts uncovered details about the threat actor's origin and tactics thanks to a server misconfiguration that exposed files, directories, internal correspondence, and more."
TLP1 : Green
-
ChatGPT is down worldwide - OpenAI confirms issues
"ChatGPT, the famous artificial intelligence chatbot that allows users to converse with various personalities and topics, has connectivity issues worldwide.
OpenAI has confirmed users are currently experiencing issues worldwide, with many unable to access the AI.
This outage started within the last 45 minutes. According to DownDetector, ChatGPT is currently experiencing an outage in the U.S, Europe, India, Japan, Australia, and other parts of the world.
This is a developing story..."
TLP1 : Green
Cybersecurity State: Surveillance, Cyberwarfare, Cybercriminality and Hacktivism
-
Iranian hackers use new Moneybird ransomware to attack Israeli orgs
"A suspected Iranian state-supported threat actor known as 'Agrius' is now deploying a new ransomware strain named 'Moneybird' against Israeli organizations.
Agrius has been actively targeting entities in Israel and the Middle East region since at least 2021 under multiple aliases while deploying data wipers in destructive attacks.
Check Point's researchers who discovered the new ransomware strain believe that Agrius developed it to help expand their operations, while the use of 'Moneybird' is yet another one of the threat group's attempts to cover their tracks."
TLP1 : Green
-
Chinese hackers breach US critical infrastructure in stealthy attacks
"Microsoft says a Chinese cyberespionage group it tracks as Volt Typhoon has been targeting critical infrastructure organizations across the United States, including Guam, an island hosting multiple military bases, since at least mid-2021.
Their targets and breached entities span a wide range of critical sectors, including government, maritime, communications, manufacturing, information technology, utilities, transportation, construction, and education.
"Microsoft assesses with moderate confidence that this Volt Typhoon campaign is pursuing development of capabilities that could disrupt critical communications infrastructure between the United States and Asia region during future crises," the Microsoft Threat Intelligence team said.
The initial attack vector is the compromise of Internet-exposed Fortinet FortiGuard devices by exploiting an unknown zero-day vulnerability."
TLP1 : Green
-
The US government sanctioned four entities and one individual for supporting cyber operations conducted by North Korea
"The US Department of the Treasury’s Office of Foreign Assets Control (OFAC) announced sanctions against four entities and one individual for their role in malicious cyber operations conducted to support the government of North Korea.
“The DPRK conducts malicious cyber activities and deploys information technology (IT) workers who fraudulently obtain employment to generate revenue, including in virtual currency, to support the Kim regime and its priorities, such as its unlawful weapons of mass destruction and ballistic missile programs.” reads the announcement.
The sanctioned entities conducted operations to steal funds to support the military strategy of the regime."
TLP1 : Green
Breaches: Data Breaches and Hacks
-
US debt collector breach exposed 1M+ people
"NCB has started sending breach notification letters to affected users about a data breach that exposed nearly 1.1 million people. The US company claims that attackers penetrated its systems on February 1st. It took NCB three days to notice that the company’s systems were breached.
“Recently, confidential client account information maintained by NCB was accessed by an unauthorized party. To date, we are unaware of any misuse of your information as a result of this incident,” the company’s letter to potential victims said."
TLP1 : Green
Vulnerabilities: Vulnerability Advisories, Zero-Days, Patches and Exploits
-
Barracuda Email Security Gateway (ESG) hacked via zero-day bug
"Network security solutions provider Barracuda warned customers that some of its Email Security Gateway (ESG) appliances were recently breached by threat actors exploiting a now-patched zero-day vulnerability.
The vulnerability, tracked as CVE-2023-2868, resides in the module for email attachment screening, the issue was discovered on May 19 and the company fixed it with the release of two security patches on May 20 and 21."
TLP1 : Green
-
Windows 11 Moment 3 released with KB5026446 update, how to enable
"Microsoft has released the Windows 11 22H2 KB5026446 update, aka 'Moment 3,' bringing quite a few new and long-awaited features to the operating system.
The KB5026446 update is a monthly preview update allowing users to test upcoming fixes and features that will be installed as part of the following month's mandatory Patch Tuesday.
While the KB5026446 update is supposed to be optional, it was automatically installed on our device when we checked for new updates."
TLP1 : Green
-
Hackers target 1.5M WordPress sites with cookie consent plugin exploit
"Ongoing attacks are targeting an Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability in a WordPress cookie consent plugin named Beautiful Cookie Consent Banner with more than 40,000 active installs.
In XSS attacks, threat actors inject malicious JavaScript scripts into vulnerable websites that will execute within the visitors' web browsers.
The impact can include unauthorized access to sensitive information, session hijacking, malware infections via redirects to malicious websites, or a complete compromise of the target's system.
WordPress security company Defiant, which spotted the attacks, says the vulnerability in question also allows unauthenticated attackers to create rogue admin accounts on WordPress websites running unpatched plugin versions (up to and including 2.10.1)."
TLP1 : Green
-
GitLab Security Update Patches Critical Vulnerability
"DevOps platform GitLab this week resolved a critical-severity vulnerability impacting both GitLab Community Edition (CE) and Enterprise Edition (EE).
An open source end-to-end software development platform, GitLab helps developers and organizations build, secure, and operate software. The platform has approximately 30 million registered users.
Tracked as CVE-2023-2825 and leading to arbitrary file reads, the newly addressed security defect has the maximum CVSS score of 10.
“An unauthenticated malicious user can use a path traversal vulnerability to read arbitrary files on the server when an attachment exists in a public project nested within at least five groups,” GitLab explains in an advisory."
TLP1 : Green
Incident Response: Infrastructure, Training, SIEM and Incident Handling
-
Today’s Cyber Defense Challenges: Complexity and a False Sense of Security
"There are quite a few industry standards (e.g., ISO/IEC 27001, PCI DSS 4.0) and government regulations (e.g., HIPAA, FISMA, CISA) that provide practical advice on what security controls to establish to minimize an organization’s risk exposure.
Unfortunately, these guidelines often lead organizations to believe that deploying more security solutions will result in greater protection against threats. However, the truth of the matter is very different. Gartner estimates that global spending on IT security and risk management solutions will exceed $189.7 billion annually in 2023, yet the breaches keep on coming (e.g., Constellation Software, NextGen Healthcare, San Bernardino County Sheriff’s Department). As it turns out, purchasing more security tools only adds to complexity in enterprise environments and creates a false sense of security that contributes to today’s cybersecurity challenges."
TLP1 : Green
-
Webinar with Guest Forrester: Browser Security New Approaches
"In today's digital landscape, browser security has become an increasingly pressing issue, making it essential for organizations to be aware of the latest threats to browser security. That's why the Browser Security platform LayerX is hosting a webinar featuring guest speaker Paddy Harrington, a senior analyst at Forrester and the lead author of Forrester's browser security report "Securing The Browser In The World Of Anywhere Work ".
During this webinar, Harrington will join LayerX CEO, to discuss the emergence of the browser security category, the browser security risk and threat landscape, and why addressing browser security can wait no longer. The webinar will also cover browser security solutions, explaining their pros, cons, and differences, and how organizations can work more securely in the browser. Additionally, the session will focus on using browser security solutions as a cost-saver for security teams.
Participants will also get an exclusive opportunity to learn from the 2023 Annual Browser Security Report authored by LayerX. The report's insights highlight that securing the modern endpoint means securing the browser, as apps move to web delivery."
TLP1 : Green
Technical Articles: Forensics, Reverse Engineering, Malware, Phishing, Pentesting, Software Security and Cryptography
-
New Buhti ransomware gang uses leaked Windows, Linux encryptors
"A new ransomware operation named 'Buhti' uses the leaked code of the LockBit and Babuk ransomware families to target Windows and Linux systems, respectively.
While the threat actors behind Buhti, now tracked as 'Blacktail,' have not developed their own ransomware strain, they have created a custom data exfiltration utility that they use to blackmail victims, a tactic known as "double-extortion."
Buhti was first spotted in the wild in February 2023 by Palo Alto Networks' Unit 42 team, which identified it as a Go-based Linux-targeting ransomware.
A report published today by Symantec's Threat Hunter team shows that Buhti also targets Windows, using a slightly modified LockBit 3.0 variant codenamed "LockBit Black.""
TLP1 : Green
-
GUAC 0.1 Beta: Google's Breakthrough Framework for Secure Software Supply Chains
"Google on Wednesday announced the 0.1 Beta version of GUAC (short for Graph for Understanding Artifact Composition) for organizations to secure their software supply chains.
To that end, the search giant is making available the open source framework as an API for developers to integrate their own tools and policy engines.
GUAC aims to aggregate software security metadata from different sources into a graph database that maps out relationships between software, helping organizations determine how one piece of software affects another."
TLP1 : Green
-
New PowerExchange malware backdoors Microsoft Exchange servers
"A new PowerShell-based malware dubbed PowerExchange was used in attacks linked to APT34 Iranian state hackers to backdoor on-premise Microsoft Exchange servers.
After infiltrating the mail server via a phishing email containing an archived malicious executable, the threat actors deployed a web shell named ExchangeLeech (first observed by the Digital14 Incident Response team in 2020) that can steal user credentials.
The FortiGuard Labs Threat Research team found the PowerExchange backdoor on the compromised systems of a United Arab Emirates government organization.
Notably, the malware communicates with its command-and-control (C2) server via emails sent using the Exchange Web Services (EWS) API, sending stolen info and receiving base64-encoded commands through text attachments to emails with the "Update Microsoft Edge" subject."
TLP1 : Green
1Traffic Light Protocol (TLP) [1] for information sharing:
- Red:Not for disclosure, restricted to participants only.
- Amber: Limited disclosure, restricted to participants organizations.
- Green: Limited disclosure, restricted to the community.