Top News

• Facebook glitch reveals if you’re an online creeper

"Cybernews has confirmed a five-year-old Facebook glitch is sending automatic friend requests to the Facebook profiles you visit – leaving some online stalkers, er, we mean snoopers, quite embarrassed.
Whether it's your latest Hinge match, an old crush from high school, or even the new neighbors down the block, we've all done it. Social media snooping, that is.
Normally, when you snoop on someone’s social media profile, the person has no idea and will never find out.
But some Facebook users are finding out that a little-known bug in the social media platform is exposing their shadowy behavior by automatically triggering a Facebook friend request when visiting certain individual profile pages."

Link

TLP¹ : Green

• Executive Fired From TikTok’s Chinese Owner Says Beijing Had Access to App Data in Termination Suit

"A former executive fired from TikTok’s parent company ByteDance made a raft of accusations against the tech giant Friday, including that it stole content from competitors like Instagram and Snapchat, and served as a “propaganda tool” for the Chinese government by suppressing or promoting content favorable to the country’s interests.
The allegations were made in a complaint Friday by Yintao Yu, the head of engineering for ByteDance’s U.S. operations from August 2017 to November 2018, as part of a wrongful termination lawsuit filed earlier this month in San Francisco Superior Court. Yu claims he was fired for disclosing “wrongful conduct” he saw at the company.
In the complaint, Yu alleges the Chinese government monitored ByteDance’s work from within its Beijing headquarters and provided guidance on advancing “core communist values.”"

Link

TLP¹ : Green

Cybersecurity State: Surveillance, Cyberwarfare, Cybercriminality and Hacktivism

• New Phishing-as-a-Service Platform Lets Cybercriminals Generate Convincing Phishing Pages

"A new phishing-as-a-service (PhaaS or PaaS) platform named Greatness has been leveraged by cybercriminals to target business users of the Microsoft 365 cloud service since at least mid-2022, effectively lowering the bar to entry for phishing attacks.
"Greatness, for now, is only focused on Microsoft 365 phishing pages, providing its affiliates with an attachment and link builder that creates highly convincing decoy and login pages," Cisco Talos researcher Tiago Pereira said.
"It contains features such as having the victim's email address pre-filled and displaying their appropriate company logo and background image, extracted from the target organization's real Microsoft 365 login page.""

Link

TLP¹ : Green

• Former Ubiquiti Employee Gets 6 Years in Jail for $2 Million Crypto Extortion Case

"A former employee of Ubiquiti has been sentenced to six years in jail after he pleaded guilty to posing as an anonymous hacker and a whistleblower in an attempt to extort almost $2 million worth of cryptocurrency while working at the company.
Nickolas Sharp, 37, was arrested in December 2021 for using his insider access as a senior developer to steal confidential data and sending an anonymous email asking the network technology provider to pay 50 bitcoin (about $2 million at the time) in exchange for the siphoned information.
Ubiquiti, however, didn't yield to the ransom attempt and instead looped in law enforcement, which eventually identified Sharp as the hacker after tracing a VPN connection to a Surfshark account purchased with his PayPal account."

Link

TLP¹ : Green

• Brave unveils new "Forgetful Browsing" anti-tracking feature

"The privacy-focused Brave Browser is introducing a new "Forgetful Browsing" feature that prevents sites from re-identifying you on subsequent visits.
This new feature will clear not only cookies at the sites you specify but also data in local storage and the cache when you close a website. While this will also automatically log users out of sites, it also prevents re-identification when they return to the site at a future time.
Users can enable "Forgetful Browsing" from the software's settings menu, either for all websites (global default) or for a specified list of sites.
"When this option is set, Brave will clear first-party storage for the site a few seconds after there are no more open tabs for the site," explains Brave Software's announcement.
"Forgetful Browsing clears both explicitly stored values (e.g. cookies, localStorage, or indexedDB) and indirectly stored values (e.g. HTTP cache or DNS cache)."
The Brave Software team explained that although its browser offers robust protections against third-party tracking, the privacy issues that arise from first-party tracking remain somewhat unaddressed."

Link

TLP¹ : Green

• New 'MichaelKors' Ransomware-as-a-Service Targeting Linux and VMware ESXi Systems

"A new ransomware-as-service (RaaS) operation called MichaelKors has become the latest file-encrypting malware to target Linux and VMware ESXi systems as of April 2023.
The development points to cybercriminal actors increasingly setting their eyes on the ESXi, cybersecurity firm CrowdStrike said in a report shared with The Hacker News.
"This trend is especially noteworthy given the fact that ESXi, by design, does not support third-party agents or AV software," the company said.
"In fact, VMware goes as far as to claim it's not required. This, combined with the popularity of ESXi as a widespread and popular virtualization and management system, makes the hypervisor a highly attractive target for modern adversaries.""

Link

TLP¹ : Green

Breaches: Data Breaches and Hacks

• Capita warns customers to assume that their data was stolen

"In early April, the UK outsourcing giant Capita confirmed that its staff was locked out of their accounts on Friday after a cyber incident.
Capita is one of the government’s biggest suppliers, with £6.5bn of public sector contracts, reported The Guardian. The outsourcing firm signed numerous contracts with the Ministry of Defence.
In an update shared on April 3 about the incident, the company announced it has experienced a cyber incident primarily impacting access to internal Microsoft Office 365 applications. 
The attack disrupted some services provided to individual clients, but the company pointed out that the majority of its client services were not impacted."

Link

TLP¹ : Green

• Discord warns of data breach involving support agent

"Discord, the instant messaging and call platform, notified its users of a breach resulting from a compromised third-party support agent.
The messaging service, which was recently used to leak top-secret Pentagon documents, notified its users about unauthorized access to a third-party customer service agent’s support ticket queue.
“Due to the nature of the incident, it is possible that your email address, the contents of customer service messages and any attachments sent between you and Discord may have been exposed to a third party,” Discord’s warning said.
According to the company, it deactivated the compromised account and checked the affected device for malware once the issue was noted. The company didn’t specify whether it found something or not.
Discord said the company reached out to its customer service partner to “improve their practices,” expecting to prevent similar types of issues from happening in the future."

Link

TLP¹ : Green

• Personal info of 90k hikers leaked by French tourism company La Malle Postale

"The Cybernews research team has discovered a data leak on La Malle Postale’s system that exposed the personal data of their clients. The leaked information included names, phone numbers, emails, private communication via SMS messages, passwords, and employees’ credentials.
Founded in 2009, the company provides luggage and passenger transportation services on many popular hiking routes, including the famous Santiago de Compostela pilgrimage trail. The services are well-reviewed by their clients, with an overall four-star rating on TripAdvisor."

Link

TLP¹ : Green

Vulnerabilities: Vulnerability Advisories, Zero-Days, Patches and Exploits

• CISA: Several Old Linux Vulnerabilities Exploited in Attacks

"The US Cybersecurity and Infrastructure Security Agency (CISA) has added several Linux and Linux-related flaws to its known exploited vulnerabilities (KEV) catalog.
The agency added seven new vulnerabilities to its KEV catalog on Friday: Ruckus AP remote code execution (CVE-2023-25717), Red Hat Polkit privilege escalation (CVE-2021-3560), Linux kernel privilege escalations (CVE-2014-0196 and CVE-2010-3904), Jenkins UI information disclosure (CVE-2015-5317), Apache Tomcat remote code execution (CVE-2016-8735), and an Oracle Java SE and JRockit issue (CVE-2016-3427).
The Ruckus product vulnerability has been exploited by a DDoS botnet named AndoryuBot. 
However, there do not appear to be any public reports describing exploitation of the other vulnerabilities added to CISA’s catalog. Technical details and proof-of-concept (PoC) exploits are available, which is not surprising considering that some of them have been known for a decade. "

Link

TLP¹ : Green

• Hackers target Wordpress plugin flaw after PoC exploit released

"Hackers are actively exploiting a recently fixed vulnerability in the WordPress Advanced Custom Fields plugin roughly 24 hours after a proof-of-concept (PoC) exploit was made public.
The vulnerability in question is CVE-2023-30777, a high-severity reflected cross-site scripting (XSS) flaw that allows unauthenticated attackers to steal sensitive information and escalate their privileges on impacted WordPress sites.
The flaw was discovered by website security company Patchstack on May 2nd, 2023, and was disclosed along with a proof-of-concept exploit on May 5th, a day after the plugin vendor had released a security update with version 6.1.6.
As the Akamai Security Intelligence Group (SIG) reported yesterday, starting May 6th, 2023, they observed significant scanning and exploitation activity using the sample code provided in Patchstack's write-up."

Link

TLP¹ : Green

Incident Response: Infrastructure, Training, SIEM and Incident Handling

• Startup Competition Secures ML Systems, Vulnerabilities in Automations

"Cybersecurity has traditionally secured the use of off-the-shelf IT hardware and software. Yet almost all the finalists at this year's RSA Innovation Sandbox centered around securing attack surfaces arising from the building of applications, machine learning systems, and API integrations. And while that may sound like the SecDevOps and software supply chain security of old, these innovators are focused on a larger opportunity.
Innovation Sandbox is RSA's Shark Tank-like competition bringing 10 startup finalists to present onstage before judges. Hidden Layer took the top prize for defending ML systems against adversarial AI."

Link

TLP¹ : Green

Technical Articles: Forensics, Reverse Engineering, Malware, Phishing, Pentesting, Software Security and Cryptography

• Researchers Uncover Powerful Backdoor and Custom Implant in Year-Long Cyber Campaign

"Government, aviation, education, and telecom sectors located in South and Southeast Asia have come under the radar of a new hacking group as part of a highly-targeted campaign that commenced in mid-2022 and continued into the first quarter of 2023.
Symantec, by Broadcom Software, is tracking the activity under its insect-themed moniker Lancefly, with the attacks making use of a "powerful" backdoor called Merdoor.
Evidence gathered so far points to the custom implant being utilized as far back as 2018. The ultimate goal of the campaign, based on the tools and the victimology pattern, is assessed to be intelligence gathering.
"The backdoor is used very selectively, appearing on just a handful of networks and a small number of machines over the years, with its use appearing to be highly targeted," Symantec said in an analysis shared with The Hacker News."

Link

TLP¹ : Green

• Phylum Detects Suspicious Publications Surrounding Popular Python Package Flask

"On the morning of May 10, 2023, Phylum’s automated risk detection platform flagged a series of publications surrounding the popular Flask package on PyPI. After reaching out to the author, we discovered that they were actually white hat publications intended for educational and demonstration purposes. However, this discovery serves as a crucial reminder that manual code review alone of seemingly innocuous packages is not sufficient to ensure security. Attackers can inject malware throughout the entire supply chain, including package dependencies."

Link

TLP¹ : Green

• CLR SqlShell Malware Targets MS SQL Servers for Crypto Mining and Ransomware

"Poorly managed Microsoft SQL (MS SQL) servers are the target of a new campaign that's designed to propagate a category of malware called CLR SqlShell that ultimately facilitates the deployment of cryptocurrency miners and ransomware.
"Similar to web shell, which can be installed on web servers, SqlShell is a malware strain that supports various features after being installed on an MS SQL server, such as executing commands from threat actors and carrying out all sorts of malicious behavior," AhnLab Security Emergency response Center (ASEC) said in a report published last week.
A stored procedure is a subroutine that contains a set of Structured Query Language (SQL) statements for use across multiple programs in a relational database management system (RDBMS)."

Link

TLP¹ : Green

• The latest variant of the RapperBot botnet adds cryptojacking capabilities

"FortiGuard Labs researchers have discovered new samples of the RapperBot bot that added cryptojacking capabilities.
Researchers from FortiGuard Labs first discovered the previously undetected RapperBot IoT botnet in August, and reported that it is active since mid-June 2022. The bot borrows a large portion of its code from the original Mirai botnet, but unlike other IoT malware families, it implements a built-in capability to brute force credentials and gain access to SSH servers instead of Telnet as implemented in Mirai.
In November, Fortinet researchers discovered new samples of RapperBot used to build a botnet to launch Distributed DDoS attacks against game servers.
Experts also noticed that the most recent samples include the code to maintain persistence, which is rarely implemented in other Mirai variants."

Link

TLP¹ : Green

¹Traffic Light Protocol (TLP) [1] for information sharing:

• Red:Not for disclosure, restricted to participants only.
• Amber: Limited disclosure, restricted to participants organizations.
• Green: Limited disclosure, restricted to the community.

[1]https://www.first.org/tlp