Welcome to our weekly cyber news roundup, where we highlight the most significant cybersecurity developments from the past week. Stay informed and vigilant as we delve into the top 7 stories shaping the digital landscape:
A critical authentication bypass vulnerability, tracked as CVE-2023-29357, in Microsoft SharePoint Server has seen a proof-of-concept exploit code emerge on GitHub. This vulnerability allows unauthenticated attackers to gain administrator privileges without user interaction. Attackers can use spoofed JWT authentication tokens to execute network attacks that bypass authentication and gain access to authenticated user privileges.
A technical analysis revealed a chain of vulnerabilities that included CVE-2023-29357, as well as another critical flaw, CVE-2023-24955, which enables remote code execution through command injection. In March 2023, a researcher achieved remote code execution on a Microsoft SharePoint Server during the Pwn2Own contest, earning a $100,000 reward.
Although the recently released exploit doesn’t provide immediate remote code execution, it is advised to apply Microsoft’s security patches as a preventive measure. With technical details now available, it is possible that threat actors or other researchers may reproduce the full exploit chain to achieve complete remote code execution in the future.
The Lazarus Advanced Persistent Threat (APT) group has recently been using LinkedIn to target a Spanish aerospace company in a sophisticated cyberattack. Impersonating LinkedIn recruiters, the attackers send coding challenges to employees, which are actually malicious executables. The campaign is part of Lazarus’ “Operation DreamJob.”
One notable aspect is the use of a previously undocumented backdoor called LightlessCan, which can evade security monitoring and is more advanced than its predecessor, BlindingCan. The attackers compromised the company’s network through spearphishing on LinkedIn, specifically in the hiring process. Multiple employees were targeted, and the attack involved trojanized PDF viewers and SSL/VPN clients. Ultimately, the attackers deployed RATs (Remote Access Trojans) known as miniBlindingCan and LightlessCan.
The campaign reflects Lazarus’ ongoing interest in the aerospace industry and their evolving attack tactics. This method of targeting employees through social engineering is becoming more common, as it exploits the human factor, making it challenging to detect and defend against. Lazarus, also known as Hidden Cobra, is a North Korean cyberespionage group with a history of high-profile attacks. Aerospace firms are attractive targets for such groups due to their valuable technology and potential financial gains.
The Mozilla Foundation has issued a critical security update for its web browser, Firefox, and email client, Thunderbird, in response to a significant vulnerability (CVE-2023-5217). This flaw, initially reported by Google’s Clément Lecigne, involves a heap buffer overflow in libvpx, a key component of Firefox. If exploited, it could allow attackers to execute malicious code on affected systems.
This vulnerability is considered critical, and Mozilla has acknowledged that it has been actively exploited in other products. Users are strongly advised to update their Firefox and Thunderbird to the specified versions (Firefox 118.0.1, Firefox ESR 115.3.1, Firefox Focus for Android 118.1.0, Firefox for Android 118.1.0, and Thunderbird 115.3.1) to protect their systems from this threat. Keeping software up to date is crucial for online security.
n this episode, David Liebenberg from Cisco Talos discusses their recent findings on the widespread downloading of cracked Microsoft Windows software by enterprise users. This practice not only poses a significant security risk but also serves as a potential entry point for malicious actors looking to exploit vulnerabilities in these compromised applications.
Talos has uncovered additional threats, including Remote Access Trojans (RATs), on systems running these cracked software versions. Such malware can grant unauthorized remote access to compromised machines, giving attackers the ability to manipulate the system, capture screenshots, log keystrokes, and exfiltrate sensitive data.
This episode delves into the dangers associated with downloading cracked software and the potential consequences for individuals and organizations. It serves as a stark reminder of the importance of using legitimate, licensed software to maintain a secure and protected digital environment.
Tequila OS 2.0, developed by students from the National Autonomous University of Mexico, is the first Linux distribution in Latin America tailored for forensic analysis and incident response. This Linux distribution comes with over 60 tools designed for cybersecurity professionals. Users can easily set it up in a virtual machine by downloading the ISO file and using the provided login credentials. Tequila OS 2.0 is advantageous due to its regular updates, one-click mounting and unmounting of storage media, manuals in Spanish, low RAM requirements, and compatibility with various virtualization software.
This Linux distribution is primarily focused on cybersecurity incident response and has evolved to offer greater stability, an improved user interface, enhanced performance, and a comprehensive set of tools. It’s an appealing option not only for users in Latin America but also for cybersecurity professionals worldwide. The Tequila project also includes a set of tools called Agave for incident response in a Windows operating environment.
A new variant of the BBTok banking Trojan is actively targeting users in Latin America, with a particular focus on Brazil and Mexico. This malware is designed to mimic the interfaces of more than 40 Mexican and Brazilian banks to deceive victims into revealing their 2FA codes and payment card numbers.
The Trojan uses customized server-side PowerShell scripts to create unique payloads for each victim, delivered via phishing emails with various file types. BBTok employs evasion techniques for Windows 7 and Windows 10 systems, including the use of living-off-the-land binaries (LOLBins) and geofencing checks to target users only in Brazil or Mexico.
The malware aims to harvest user credentials and authentication information for account takeovers. While the operators are cautious and execute banking activities only on direct command, BBTok’s obfuscation and targeting have evolved significantly since its initial appearance in 2020. The presence of Spanish and Portuguese languages suggests the threat actors may be based in Brazil.
Over 150 users are estimated to have been infected by BBTok, making it an ongoing concern for organizations and individuals in the region. Check Point also identified a large-scale phishing campaign targeting companies in Colombia, aiming to deploy the Remcos Remote Access Trojan (RAT) for various malicious purposes.
This report provides an in-depth analysis of the Cuba ransomware gang, including their history, attack tactics, and victimology. The Cuba gang, previously known as “Tropical Scorpius,” primarily targets organizations in the United States, Canada, and Europe, with a focus on industries like oil, finance, government, and healthcare.
They employ a double extortion model, encrypting victim files and threatening to publish stolen data unless a ransom is paid. The gang uses a variety of tools, vulnerabilities, and techniques to gain access to victim networks.
Notably, the report uncovers that the Cuba gang may have Russian-speaking members, and they continue to evolve their tactics. The group has used various aliases, including “ColdDraw,” “Fidel,” and “V Is Vendetta.” Their Cuba ransomware employs hybrid encryption to lock files and targets specific file extensions and directories. The report also highlights the use of vulnerable drivers and self-defense mechanisms in their attacks.
In one incident investigation, the report describes how the Cuba gang used legitimate drivers known to have security flaws to execute malicious actions within the system, posing a significant threat. The incident analysis uncovered new versions of the Burntcigar malware, offering insights into the gang’s evolving techniques.
Overall, the report emphasizes the importance of staying informed about emerging cyber threats, using advanced technology for threat detection, and maintaining a comprehensive threat knowledge base to combat advanced cybercrime effectively. It underscores the significance of threat intelligence services and managed detection and response (MDR) in dealing with such threats.
Stay tuned for the latest updates and in-depth coverage of these stories. Knowledge is your best defense in the digital age.