Cyber security week in review: July 29, 2022

  • Thread starter Security feed from CyberSecurity Help
  • Start date

Security feed from CyberSecurity Help


European cyber mercenaries used Windows, Adobe zero-days in Subzero malware attacks

A hack-for-hire company has targeted European and Central American entities in limited attacks that used multiple zero-day flaws in Microsoft and Adobe software products, including a recently patched zero-day vulnerability in Windows.

While the company is officially known as DSIRF, Microsoft tracks it as “Knotweed.” It is described as an Austria-based private-sector offensive actor that ostensibly provides security and information analysis services to commercial customers. According to Microsoft, previously DSIRF has been observed both developing and selling a malware toolset called “Subzero” to third parties.

Over the last two years, Subzero was deployed through a variety of methods, including exploits for zero-day bugs in the Adobe Reader and Windows OS (CVE-2022-22047).

Threat actors start scanning for vulnerabilities within 15 minutes of a CVE public disclosure

Malicious actors are increasingly quick to exploit high-profile zero-day vulnerabilities, with the scanning starting within15 minutes of a new CVE being publicly disclosed. Software vulnerabilities remain one of the top initial access vectors for threat actors (31%, second only to phishing at 37%. Other access vectors include brute-force credential attacks (9%), previously compromised credentials (6%), insider threat and social engineering (5%), abuse of trusted relationships/tools (4%).

The most exploited vulnerabilities for network access in H1 2022 are the three ProxyShell vulnerabilities (55%), Log4j (14%), SonicWall CVEs (7%), ProxyLogon (5%), Zoho ManageEngine ADSelfService Plus (4%), Fortinet CVEs (3%).

Researchers sound alarm over possible attack against a large US-based MSP

Cybersecurity researchers have warned of a threat actor on a hacker forum claiming to have access to over 50 US companies via an unnamed managed service provider (MSP). On July 18, an individual going by the alias “Beeper” had posted a message on a Russian-speaking hacker forum asking for assistance monetizing access to a managed service provider.

The cybersecurity agencies from the US, UK, Australia, Canada and New Zealand warned in May of increased cyberattacks targeting managed service providers (MSPs).

Digital security giant Entrust hit with ransomware

Entrust Group, a US-based company that offers a wide range of security services to many organizations, has reportedly suffered a ransomware attack, in which the attackers have breached the company’s internal systems and stolen corporate data. The incident took place on June 18. So far, there has been no evidence that the attack affected the operation or security of the company’s products and services, Entrust CEO Todd Wilkinson said.

Lockbit ransomware gang claims to have stolen 100 GB of data from Italian tax agency

The Lockbit ransomware gang announced they have breached Italy’s Revenue Agency (L’Agenzia delle Entrate) and stolen a large trove of data.

Over the weekend, the gang has added the Italian government agency to the list of victims on their dark web data leak website. Lockbit claimed to have stolen 78 GB of files from the agency, including documents, scans, financial reports, and contracts. However, Sogei, an IT company tasked with the investigation of the alleged hack, said that there is no evidence that the tax agency has suffered a breach.

New Robin Banks PhaaS platform sells phishing kits to cyber criminals

A new phishing-as-a-service (PhaaS) platform named Robin Banks has been launched that offers ready-made phishing kits to cyber criminals who want to get access to financial information of people in the US, UK, Canada and Australia.

First spotted in March 2022, the platform offers templates for targeting customers of major US banks (Bank of America, Capital One, Citibank, Wells Fargo) and various online services, such as Google, Microsoft, and Netflix.

Single phishing pages run for $50 per month. For full access, which includes access to all pages as well as any future updates and 24/7 support, Robin Banks charges users $200/month. On average, a single kit deployed via a PhaaS provider can cost anywhere between $150-$300/month.

Hackers are adapting their techniques after Microsoft’s decision to block macros

In response to Microsoft’s decision to block macros by default in Microsoft Office applications, threat actors have began to adopt new attack methods. More specifically, threat actors are increasingly using container files such as ISO and RAR, and Windows Shortcut (LNK) files in order to distribute malware. According to Proofpoint researchers, the ISO, RAR and LNK file attachments reached nearly 175% and at least 10 malicious actors started using LNK files in their campaigns since February 2022.

Proofpoint notes that the use of macro-enabled attachments by threat actors decreased approximately 66% between October 2021 and June 2022.

US increases reward for info on North Korean hackers

The US State Department has raised a reward to $10 million for information about North Korean state-backed threat actors, more specifically, individuals associated with the Andariel, APT38, Bluenoroff, Guardians of Peace, Kimsuky, or Lazarus Group advanced persistent threat (APT) groups.

FileWave MDM vulnerabilities put organizations’ devices at risk of cyberattacks

Cybersecurity researchers at Claroty have warned of two high-risk flaws affecting FileWave’s mobile device management (MDM) system that is used in a wide range of devices. The flaws, tracked as CVE-2022-34907 and CVE-2022-34906, are remotely exploitable and allow an attacker to bypass authentication mechanisms and gain full control over the MDM platform and its managed devices.

The researchers said they identified thousands of vulnerable internet-facing FileWave servers in numerous industries, including government agencies, education, and large enterprises.

A recently patched Atlassian Confluence bug is actively exploited in the wild

Just a little over a week after Atlassian released a security advisory pertaining to multiple vulnerabilities in several the company’s on-premises products, reports emerged that threat actors are attempting to exploit one of the flaws (CVE-2022-26138).

The said flaw impacts Questions For Confluence app for Confluence Server and Data Center and is related to the presence of a hardcoded account. It should be noted, however, that the vulnerability only exists when the Questions for Confluence app is enabled.

Spanish police arrest two individuals suspected in sabotage of the country’s radioactivity alert network

The Spanish law enforcement authorities announced the arrest of two individuals suspected to be behind a cyberattack on the country’s radioactivity alert network (RAR), which occurred between March and June 2021.

The suspects are former workers of a company in charge of the maintenance of the RAR system, the police said. The cyberattack disabled more than a third of the RAR sensors deployed across Spain. The reason behind this act of sabotage is yet unknown.

Akamai says it blocked the largest DDoS attack in Europe to date

Cybersecurity and cloud service company Akamai has revealed it has blocked the largest distributed denial-of-service (DDoS) attack recorded to date in Europe. The attack took place earlier this month and targeted an organization in Eastern Europe.

The victim was targeted 75 times in the past 30 days with horizontal attacks consisting of UDP, UDP fragmentation, ICMP flood, RESET flood, SYN flood, TCP anomaly, TCP fragment, PSH ACK flood, FIN push flood, and PUSH flood, among others. UDP was the most popular vector observed in both record spikes. The record-breaking attack peaked at 853.7 Gbps (gigabits per second) and 659.6 Mpps (million packets per second), Akamai said.

Adblock test (Why?)