18-Jul-23: In Security News Today

Former IT Security Analyst Jailed for Attempting to Extort Employer in Cyber Attack

Ashley Liles, a former IT security analyst, was sentenced to three years and seven months in prison for attempting to blackmail his employer by staging a cybersecurity incident. Liles accessed board members’ emails and changed the original attacker’s email to one nearly identical, aiming to redirect a potential ransom payment to himself, but the company refused to pay and traced the email hijacking to Liles’ home. Despite Liles wiping his devices, police were able to recover evidence leading to his arrest, underlining the growing concern and capability to handle insider threats, which surged 34% in cost and 44% in volume between 2020 and 2021.

Decade-long Scareware Fraudster Arrested, Linked to $70m in Victim Losses

A suspected Ukrainian scammer, who evaded capture for over a decade, has been apprehended at Barcelona’s El Prat airport by Spanish police with support from the FBI and Interpol. The suspect is charged with operating a global scareware campaign between 2006 and 2011, tricking victims into paying $129 for fake antivirus software by infecting their machines with malware that claimed the PCs were virus-infected. This arrest, potentially linking the suspect to as much as $70m in victim losses over the campaign’s five-year period, represents the latest successful effort by Spanish authorities to crack down on cybercriminal activities.

VirusTotal Data Leak Exposes Details of 5,600 Customers, Including Government Agencies

Details associated with a subset of VirusTotal’s registered customers, including their names and email addresses, were unintentionally exposed due to an employee uploading the information to the malware scanning platform. The leaked database contained 5,600 names in a 313KB file and included accounts linked to U.S. bodies like the Cyber Command, Department of Justice, Federal Bureau of Investigation (FBI), and the National Security Agency (NSA), along with government agencies in Germany, the Netherlands, Taiwan, and the U.K. In response, Google, which owns VirusTotal, confirmed the leak, removed the data from the platform within an hour of its posting, and has initiated a review of its internal processes and technical controls to prevent such incidents in the future.

ShadowPad Malware Used in Sophisticated Attack on Pakistani Entities

An unidentified threat actor compromised an application used by several entities in Pakistan, including a government agency, a public sector bank, and a telecommunications provider, to deliver the ShadowPad malware. The malware, which is typically linked to Chinese hacking groups, was hidden within a trojanized version of the E-Office application, a paperless system developed by Pakistan’s National Information Technology Board. While attribution to a specific threat actor remains unclear, Trend Micro noted that the campaign demonstrates a highly capable threat actor potentially linked to the nexus of Chinese threat actors, given the use of a recent version of ShadowPad.

Nation-State Actor Breaches JumpCloud via Spear-Phishing and Data Injection

JumpCloud, a provider of identity and access management solutions, has confirmed a security breach orchestrated by a sophisticated nation-state-sponsored threat actor. The attack, traced back to a spear-phishing campaign, allowed unauthorized access to JumpCloud’s infrastructure, and later escalated with signs of compromised customer data via data injection into the company’s command framework. Despite the advanced nature of the threat, no significant customer impact was observed, and JumpCloud has since enhanced security measures, sharing the details of the attack and indicators of compromise to foster collective defense against similar threats.

Critical WooCommerce Payments Flaw Exploited in Massive Attack on Websites

Attackers have exploited a critical vulnerability in the WordPress WooCommerce Payments plug-in, targeting over 157,000 sites in a massive attack, peaking at 1.3 million attempts on July 15, 2023. The flaw, identified as CVE-2023-28121, affects WooCommerce Payments versions 5.6.1 and lower, and permits an unauthenticated attacker to gain administrative access by escalating privileges and sending requests on behalf of the administrator. Despite an auto-update patch issued by WooCommerce, many non-WordPress.com users who failed to install the update remain vulnerable, underlining the necessity for users to update their plugins promptly and consistently monitor for unexpected admin activities.

FIN8 Resurfaces with Revamped ‘Sardonic’ Backdoor to Deploy BlackCat Ransomware

The notorious cybercrime group FIN8 has made a comeback, using a significantly modified version of its Sardonic backdoor to deliver the BlackCat ransomware. The new iteration of Sardonic features extensive code rewrites aimed at evading detection by cybersecurity defenses, with added obfuscation features and expanded plugin format support. While this latest campaign is consistent with FIN8’s history of constant malware evolution, security experts recommend a comprehensive defense strategy including layered detection and protection tools, multifactor authentication (MFA), and robust access controls.

Active Exploitation of Adobe ColdFusion Vulnerabilities Continues Despite Recent Patches

Security researchers at Rapid7 have identified ongoing exploitation of several Adobe ColdFusion vulnerabilities, even after the release of official patches. There appears to be confusion between two deserialization vulnerabilities (CVE-2023-29300 and CVE-2023-38203) leading to incomplete patches and continued exploitation, particularly when paired with an access control bypass vulnerability (CVE-2023-29298). While Rapid7 has informed Adobe of their findings, the current mitigation advice is to update to the latest ColdFusion version, which should interrupt the exploit chain seen in the wild.

Microsoft’s Double Semi-Zero Day Exploitation: A Study in Cybersecurity Compromises

Microsoft recently fell victim to a sophisticated cyber-attack targeting approximately 25 organizations, with potential implications for thousands of individuals. The attackers exploited two security weaknesses in Microsoft’s backend operations, using illegitimately acquired authentication tokens, signed as if for a personal account instead of a corporate account, to gain access to sensitive data. Microsoft’s internal threat hunters successfully identified and patched these vulnerabilities without the need for client-side updates, and were confident in confirming the number of affected organizations, highlighting the complexities of applied cryptography, security segmentation, and threat hunting.

Imminent Threat: Rising Linux Ransomware Attacks and Protecting Critical Infrastructure

Ransomware attacks targeting Linux systems, which underpin crucial national infrastructure and online services, are significantly on the rise, making the robust defense of these systems a paramount concern for cybersecurity professionals. In 2022, the rate of Linux-targeted ransomware attacks increased by 75%, with prominent and emerging threat actors alike, such as Conti, LockBit, and BlackMatter, launching incursions on Linux servers. To mitigate potential catastrophic disruptions, organizations must prioritize Linux defense through strategies including deploying anti-ransomware solutions, patch management, secure data backups, network segmentation, education programs, and regular resilience and procedural testing.

Notorious Hacker Unwittingly Exposes Self via Infostealer Malware Mishap

Prolific threat actor “La_Citrix,” known for gaining access to and selling Citrix RDP VPN servers on Russian-language Dark Web forums, accidentally infected his own computer with infostealer malware. The resulting data leak included his own personal information, as well as a vast quantity of stolen data, which was unknowingly sold to threat researchers at Hudson Rock. Hudson Rock’s investigation was triggered by an unusual pattern in the data and led to the discovery of the hacker’s identity, personal information, and evidence of his activities, which will be forwarded to relevant law enforcement agencies.

Disclaimer: Titles and summaries are AI-generated. Please refer to the linked content for more details.