20-Jul-23: In Security News Today

P2PInfect Worm: New Threat Exploiting Vulnerable Redis Servers on Linux and Windows Systems

Cybersecurity researchers from Unit 42 have uncovered a novel peer-to-peer worm, P2PInfect, that targets vulnerable Redis instances on both Linux and Windows systems, potentially affecting up to 934 unique systems. The worm exploits a critical Lua sandbox escape vulnerability, CVE-2022-0543, to infect systems and subsequently deliver a dropper payload that establishes peer-to-peer communication for further malicious activity. Though the end goal of the campaign is unclear, researchers believe the malware is likely preparing for a significant attack, weaponizing its robust peer-to-peer command-and-control network across different platforms.

Russian State Actor Turla’s DeliveryCheck Backdoor Targets Ukrainian Defense Sector

A novel .NET-based backdoor, DeliveryCheck, has been identified attacking the defense sector in Ukraine and Eastern Europe, primarily spreading via email attachments containing malicious macros. DeliveryCheck, attributed to the Russian nation-state actor Turla (also known as Iron Hunter, Secret Blizzard, Uroburos, Venomous Bear, and Waterbug), is designed to download and launch further payloads in memory from a command and control server, including the known Turla implant, Kazuar. The primary goal of these attacks is to exfiltrate messages from the Signal messaging app, allowing the adversary to gain access to sensitive conversations and documents, and even transform legitimate servers into malware command and control centers.

The Rising Threat: RDP Vulnerabilities in Industrial Enterprises and Critical Infrastructure

The widespread use of Remote Desktop Protocol (RDP) within industrial enterprises and critical infrastructure presents significant security risks due to RCE vulnerabilities, such as CVE-2023-24905 and CVE-2023-35332, recently disclosed by Microsoft. The former vulnerability relates to DLL hijacking, which has been found to disproportionately affect systems running Windows OS on advanced RISC machine processors, commonly used in industrial control systems and operational technology environments. To mitigate these risks, organizations should promptly update their RDP clients and gateways with Microsoft’s released patches, implement robust access controls, and consider adopting security tools suitable for their unique operational requirements.

North Korean Threat Actors Suspected in JumpCloud Supply Chain Attack

North Korean state-sponsored hacker groups are suspected of orchestrating the recent supply chain attack on JumpCloud, with their infiltration techniques revealing a strategic targeting of cryptocurrency firms. In collaboration with CrowdStrike, SentinelOne researchers have traced the attack to the Lazarus Group’s sub cluster, Labyrinth Chollima, highlighting the attackers’ adeptness in exploiting developer environments for multifaceted intrusion approaches. Concurrently, GitHub identified a related, low-volume social engineering campaign by the North Korean hacking group Jade Sleet, further underscoring the ongoing cyber threats facing the blockchain, cryptocurrency, and cybersecurity sectors.

Surge in Mallox Ransomware Exploiting Weak MS-SQL Servers

The activities of Mallox ransomware have spiked by 174% in 2023, adopting double extortion tactics of data theft prior to encryption, according to findings from Palo Alto Networks’ Unit 42. The ransomware, connected to multiple other strains like TargetCompany and Xollam, predominantly targets manufacturing, professional and legal services, and retail sectors, exploiting unsecured MS-SQL servers via dictionary attacks. This surge is part of a broader trend of escalating ransomware attacks, which have witnessed a 221% increase year-over-year, threatening organizations with significant financial losses and data breaches.

Critical Security Vulnerabilities in AMI MegaRAC BMC Software Expose Servers

Two significant security flaws have been discovered in the AMI MegaRAC Baseboard Management Controller (BMC) software, enabling threat actors to remotely control vulnerable servers and deploy malware. The flaws, rated High to Critical in severity, include unauthenticated remote code execution and unauthorized device access with superuser permissions, exploitable via Redfish remote management interfaces. Despite no evidence of current exploitation, the widespread use of MegaRAC BMC—a key supply chain component in millions of devices—poses a significant risk to the technology supply chain, underlying cloud computing, and the hardware supporting cloud services.

Critical Vulnerabilities in Apache OpenMeetings Enable Account Takeover and Code Execution

Three distinct security vulnerabilities have been found in the Apache OpenMeetings open source Web conferencing application that, when combined, allow threat actors to hijack user accounts, gain admin privileges, and execute arbitrary code on the server hosting the app. Widely used for video calls, presentations, and collaborative work across tens of thousands of enterprises, OpenMeetings’ weak hash comparison bug (CVE-2023-28936), unrestricted access via invitation hash (CVE-2023-29023), and null-byte injection bug (CVE-2023-29246) pose a serious threat. OpenMeetings users are strongly advised to upgrade to version 7.1.0, which addresses all three vulnerabilities.

Six Main Attack Vectors on AI Systems Identified by Google

Google researchers have identified six principal attacks on real-world AI systems, highlighting a unique complexity that demands a blend of adversarial simulations and AI expertise for robust defense. These attack vectors mainly exploit large language models (LLMs) driving generative AI products, resulting in unanticipated or malicious outputs, with potential consequences ranging from minor privacy breaches to severe security-evasive phishing attacks or data theft. The six common attacks are prompt attacks, training-data extraction, backdooring the model, adversarial examples, data-poisoning attacks, and exfiltration attacks, necessitating a secure AI framework for mitigation and prevention.

Estée Lauder Suffers Twin Breaches by Cl0p and BlackCat Ransomware Groups

Estée Lauder experienced two distinct breaches on the same day from Cl0p and BlackCat ransomware gangs, each exploiting the notorious MOVEit flaw. Despite the simultaneous claims from both groups, the incidents appear to be separate, and not a coordinated attack. Brett Callow, a threat analyst at Emsisoft, suggests that the data stolen could be used in follow-on offensives, indicating heightened cyber-risk for the cosmetics company.

Docker Images Expose API Secrets and Private Keys to Cybercriminals

Sensitive data in Docker Hub’s container images, including tens of thousands of secrets, are being exposed and exploited by cybercriminals. A study by RWTH Aachen University revealed 52,107 private keys and 3,158 API secrets in poorly configured containers, with already 275,269 TLS and SSH hosts using these compromised keys for authentication. The breaches have serious implications for internet-based communications, enabling impersonation attacks, and the ability to eavesdrop, transmit, and alter data.

Disclaimer: Titles and summaries are AI-generated. Please refer to the linked content for more details.