19-Sep-23: In Security News Today

Transparent Tribe Uses Fake YouTube Android Apps to Spread CapraRAT Malware

The Pakistan-linked threat actor known as Transparent Tribe, also known as APT36, is distributing the CapraRAT mobile remote access trojan (RAT) through malicious Android apps that mimic YouTube. CapraRAT is a highly invasive tool that gives the attacker control over the data on infected Android devices. The apps are distributed using social engineering lures and once installed, they request intrusive permissions to harvest sensitive data and exfiltrate it to a threat actor-controlled server.

AtlasVPN to Patch IP Leak Vulnerability After Public Disclosure

AtlasVPN is working on a patch for an IP leak vulnerability in its Linux client after a researcher publicly disclosed the flaw. The researcher shared the details on the Full Disclosure mailing list and Reddit after unsuccessful attempts to contact AtlasVPN support. The vulnerability allows an attacker to disconnect the VPN and leak the user’s real IP address, and a patch has been released to address the issue.

Microsoft AI Researchers Accidentally Expose 38 Terabytes of Confidential Data

Microsoft accidentally exposed 38 terabytes of private data on its AI GitHub repository, including secrets, keys, passwords, and internal Teams messages. The exposure was caused by an overly permissive SAS token that allowed unauthorized access to the entire storage account. Microsoft has taken steps to correct the issue, including revoking the token and blocking external access to the storage account.

Pro-Russian Cybercrime Group NoName057(16) Launches DDoS Attacks Against Canadian Organizations

The Canadian Centre for Cyber Security has issued a warning about the pro-Russian cybercrime group NoName057(16) launching distributed denial-of-service (DDoS) attacks against Canadian organizations. The group, also known as NoName05716, has been conducting disruptive attacks in support of Russia’s invasion of Ukraine since March 2022. They have targeted various sectors, including financial, government, military, media, supply, telecoms, and transportation organizations in Ukraine and NATO-associated countries. Canadian organizations are advised to review their systems, implement DDoS protections, improve monitoring and protections, isolate web-facing applications, and report any suspected DDoS attacks to the Cyber Centre.

Critical Vulnerability in GitLab Can Result in Supply Chain Attacks, Data Leaks, and More

GitLab has released security updates to address a critical vulnerability that allows attackers to run pipelines as different users. The vulnerability, assigned CVE-2023-4998, has a CVSS v3.1 score of 9.6 and affects GitLab Community Edition and Enterprise Edition versions 13.12 through 16.2.7, as well as versions 16.3 through 16.3.4. Exploiting this flaw can lead to unauthorized access, data manipulation, and potential supply chain attacks, resulting in intellectual property loss, data leaks, and other high-risk scenarios. Users are urged to upgrade to the latest version to mitigate the risk.

New Backdoors with Ultra-Stealth Used in Middle-east Telecom Attacks

A new threat actor named ‘ShroudedSnooper’ has been targeting Middle East-based telecommunications organizations using custom Windows server backdoors with highly effective stealth mechanisms. The backdoors, named ‘HTTPSnoop’ and ‘PipeSnoop,’ have extensive anti-detection mechanisms and masquerade as popular software products. These backdoors allow the attackers to gain persistent access to the victims’ networks, move laterally, exfiltrate data, and drop additional malware. Detecting and preventing these backdoors is challenging due to their stealthiness and the need for high privileges to perform forensic work on live production systems.

Hacker Group GhostSec Allegedly Stole 2.8GB of Data from the Moscow Exchange

The hacker group GhostSec has claimed responsibility for a cyberattack on the Moscow Exchange, stating that they gained access to an FTP server due to exposed account credentials. The exchange has not confirmed the hack or commented on the situation, leaving uncertainty about the accuracy of the hackers’ claims and the potential impact on operations and reputation. GhostSec previously claimed to have compromised programmable logic controllers used by Israeli organizations, demonstrating the ability to manipulate water levels.

Bumblebee Malware Returns with Enhanced Techniques

Bumblebee, a loader used by threat actors associated with ransomware attacks, has recently resumed its activities after a two-month break. The malware has been updated to minimize reliance on hard-coded command and control servers, instead using a Domain Generation Algorithm (DGA) to create new touchpoints. Bumblebee is now distributed through WebDAV servers and malicious spam emails, making it more unpredictable and resistant to blocking.

International Criminal Court Experiences Cybersecurity Incident

The International Criminal Court (ICC) has reported a cybersecurity incident affecting its IT systems. The ICC, which is currently investigating war crimes in Ukraine, has not provided further details about the incident. Immediate measures have been taken to respond to the incident and mitigate its impact, and the court’s priority is to ensure its work can continue.

Operation Rusty Flag: Azerbaijan Targeted in New Rust-Based Malware Campaign

A new campaign called Operation Rusty Flag is targeting systems in Azerbaijan with Rust-based malware. The operation has two different initial access vectors, one of which uses a modified document associated with the Storm-0978 group as a lure. The attack leverages an LNK file and a Microsoft Office document to deliver a second-stage payload and drop an implant written in Rust.

Thousands of Juniper Appliances Vulnerable to New Exploit

Threat intelligence firm VulnCheck has discovered a new fileless exploit targeting a recent Junos OS vulnerability that thousands of Juniper Networks appliances have not been patched against. The vulnerability, tracked as CVE-2023-36845, allows an unauthenticated attacker to execute code without creating a file on the vulnerable Juniper appliance’s system. VulnCheck performed a Shodan search and found that approximately 79% of the analyzed devices are not patched against this vulnerability.

Critical Zero-Day Vulnerability Exploited in Trend Micro Endpoint Security Products

Trend Micro has issued an advisory warning customers that a critical zero-day vulnerability, CVE-2023-41179, has been exploited in the wild. The flaw affects Apex One, Apex One SaaS, and Worry-Free Business Security products and can be exploited for arbitrary code execution. While an attacker would need to have stolen the product’s management console authentication information in advance, Trend Micro has confirmed that the vulnerability has been used in actual attacks. Patches have been released for the impacted products, and users are advised to update to the latest version as soon as possible.

Earth Lusca’s New SprySOCKS Linux Backdoor Targets Government Entities

The China-linked threat actor Earth Lusca has been observed targeting government entities using a new Linux backdoor called SprySOCKS. The group has been active since 2021 and primarily targets government departments involved in foreign affairs, technology, and telecommunications. The backdoor is delivered through the exploitation of known security flaws in various servers and is capable of exfiltrating documents and email account credentials.

Disclaimer: Titles and summaries are AI-generated. Please refer to the linked content for more details.