| title | date | draft | logo |
|---|---|---|---|
July 16, 2023 |
2023-07-16 00:00:00 +0545 |
false |
images/infosec/default.png |
{{< toc >}}
Ukraine and Poland have experienced a series of cyberattacks targeting government entities, military organizations, and civilians. These campaigns, spanning from April 2022 to July 2023, involve sophisticated tactics such as phishing emails and decoy documents. The attackers utilize malware like PicassoLoader, Cobalt Strike Beacon, and njRAT to gain persistent remote access and steal sensitive data. GhostWriter, a threat actor with alleged ties to the Belarusian government, is among the groups involved. Additionally, Russia's APT28 and APT29 have targeted Ukraine, employing phishing techniques and repurposing legitimate materials for their malicious activities. These ongoing attacks highlight the need for strong cybersecurity measures and heightened vigilance to protect against evolving cyber threats.
The cyberattacks in Ukraine and Poland have employed multi-stage infection chains and advanced techniques. Phishing emails containing malicious Microsoft Office documents are used to initiate the attacks, with victims being tricked into enabling macros. This triggers the deployment of PicassoLoader, a downloader malware that retrieves additional payloads from attacker-controlled servers. GhostWriter, APT28, and APT29 are among the threat actors involved, targeting various organizations and individuals. The attacks highlight the persistent risks faced by these countries and the importance of robust cybersecurity practices, including user awareness, to safeguard sensitive data and systems.
Microsoft Office with ‘Malware, Phishing, Command-and-Control, Image Files, Email, Instant Messengers, Office Suite’
https://thehackernews.com/2023/07/picassoloader-malware-used-in-ongoing.html?m=1
• Implement robust email security solutions that can identify and block malicious emails, phishing attempts, and suspicious attachments. • Ensure that all software, including operating systems and applications, is promptly patched, and updated to address known vulnerabilities.
Critical Vulnerability Discovered in Popular Messaging App: Urgent Patch Required to Safeguard User Data
A significant security flaw has been uncovered in a highly popular messaging app, raising serious concerns about the privacy and security of its users. The discovery of this critical vulnerability has brought attention to the urgent need for users to update their software promptly and take necessary precautions to protect their sensitive information from potential cyber threats. According to the security researchers who identified the flaw, the vulnerability exposes users to potential attacks that could compromise their personal data, including chat logs, media files, and even their login credentials. Such unauthorized access to private conversations and personal information can have severe consequences, ranging from identity theft to blackmail or espionage. The alarming nature of this discovery serves as a stark reminder to users of the importance of keeping their software up to date. Security patches and updates are often released by app developers to address vulnerabilities and strengthen the overall security of their platforms. Neglecting to apply these updates can leave users susceptible to exploitation by cybercriminals who actively seek out and exploit security flaws in widely-used applications.
Github
https://thehackernews.com/2023/07/blog-post.html
● Users of the affected messaging app should immediately check for updates and install the latest version provided by the app developer. It is crucial to ensure that the software is regularly updated to protect against known vulnerabilities and potential exploits. Additionally, users are advised to exercise caution when sharing sensitive information or clicking on suspicious links within the app until the update is applied.
Microsoft disclosed that a validation error in its source code allowed a malicious actor, known as Storm-0558, to forge Azure Active Directory (Azure AD) tokens using a Microsoft account (MSA) consumer signing key. This breach impacted approximately 25 organizations, including government entities, compromising email access and exfiltrating mailbox data. The origin of how Storm-0558 obtained the key is under investigation. The token validation issue has been addressed. Storm-0558 is suspected to be a China-based threat actor engaged in espionage activities. The hacking crew primarily targets U.S. and European governing bodies, Taiwan and Uyghur interests, media companies, think tanks, and telecommunications providers. Microsoft has taken steps to mitigate the issue and notified affected customers. However, concerns have been raised about Microsoft's handling of the incident and access to forensic capabilities. The breach highlights China's cyber espionage capabilities and its ability to penetrate various IT systems.
Microsoft
https://thehackernews.com/2023/07/microsoft-bug-allowed-hackers-to-breach.html
• Implement multi-factor authentication and update security practices. • Improve monitoring to detect suspicious activities. • Train employees on phishing and security best practices. • Collaborate with government entities for threat intelligence. • Provide customers with forensic capabilities and audit logs.
Honeywell Experion DCS: Nine vulnerabilities, collectively known as Crit.IX, were found in the Honeywell Experion distributed control system. These flaws could allow unauthorized remote code execution, enabling attackers to take control of devices and manipulate DCS controllers. Insufficient encryption and authentication mechanisms in the Control Data Access (CDA) protocol contribute to the vulnerabilities. QuickBlox: Check Point and Claroty discovered critical flaws in QuickBlox, a chat and video calling platform widely used in telemedicine, finance, and IoT devices. Exploiting these vulnerabilities could lead to user database leaks and facilitate full account takeover attacks. Aerohive/Extreme Networks Access Points: Remote code execution vulnerabilities were found in these access points running HiveOS/Extreme IQ Engine versions prior to 10.6r2. Successful exploitation could result in arbitrary command execution. Ghostscript Library: Ghostscript, a widely used package, was found to have a remote code execution vulnerability. This library, which can be triggered through various applications like image editors or printers, poses risks beyond a single application. Golang-based Platforms: Two Golang-based open-source platforms, Owncast and EaseProbe, were discovered to have security weaknesses. Owncast is susceptible to Server-Side Request Forgery (SSRF) attacks (CVE-2023-3188), while EaseProbe is vulnerable to SQL injection attacks (CVE-2023-33967). Technicolor TG670 DSL Gateway Routers: Hard-coded credentials were identified in these routers, enabling authenticated users to gain full administrative control. Remote administration should be disabled to mitigate potential exploitation.
Honeywell Experion DCS, QuickBlox, Aerohive/Extreme Networks Access Points, Ghostscript Library, Golang-based Platforms, Technicolor TG670 DSL Gateway Routers
https://thehackernews.com/2023/07/critical-security-flaws-uncovered-in.html
• Disabling remote administration and contacting service providers to determine the availability of patches and updates to address these vulnerabilities.
The popular WordPress plugin, All-In-One Security (AIOS), released a security update due to a bug in version 5.1.9. The bug caused users' passwords to be stored in plaintext in the database, potentially accessible to malicious site administrators. The issue was reported by a user three weeks ago, expressing surprise that a security plugin would make such a basic error. AIOS confirmed that the update removes the stored passwords and mentioned that exploiting the vulnerability requires the attacker to have already compromised the site or gained unauthorized access. However, as a precaution, users are advised to enable two-factor authentication and change their passwords, especially if they use the same credentials on other sites.
• WPEverest's user registration plugin
https://thehackernews.com/2023/07/aios-wordpress-plugin-faces-backlash.html
• Change Passwords and Use Unique Credentials • Regularly Backup and Secure Your Website • Update AIOS and Enable Two-Factor Authentication
CVE-2023-3342
A critical vulnerability (CVE-2023-20214) has been discovered in the Cisco SD-WAN vManage software's REST API authentication validation. The flaw is due to insufficient request validation in the REST API feature. This issue allows remote attackers to modify configurations without proper authentication, disrupt network operations, retrieve confidential information and to gain unauthorized access to critical configuration data. Cisco SD-WAN vManage software users must immediately install the fixes provided by Cisco, which have been issued to remedy the vulnerability. Since there are currently no known solutions, it is crucial that the given patches be installed in order to minimize the risk from threat actors.
• Cisco SD-WAN vManage software
https://cybersecuritynews.com/cisco-sd-wan-vmanage-flaw
• Implement access control lists (ACLs) to restrict access to only trusted IP addresses, preventing outside attackers from gaining unauthorized access. • Utilize API keys when accessing APIs for an extra layer of security. • Monitor logs for any suspicious activity related to the REST API. • Keep the system software up to date with the latest patches and releases.
CVE-2023-20214