21-Jul-23: In Security News Today

North Korean Group Targets Tech Firms with Social Engineering Scheme on GitHub

GitHub has detected a low-frequency social engineering campaign aimed at employees of tech companies, particularly those linked to the blockchain, cryptocurrency, online gambling, and cybersecurity sectors. Assessed with high confidence as the work of North Korean group Jade Sleet, the campaign uses fake persona accounts to establish contact, invites targets to collaborate on a GitHub repository, and gets them to execute its contents, which include malicious npm packages. GitHub has suspended the associated accounts, reported domain abuse, and advises potential targets to exercise caution with social media solicitations, scrutinize dependencies and installation scripts, and inform their cybersecurity departments if targeted.

Blacksuit Ransomware: Enhanced Threat to ESXi Systems

The new Blacksuit ransomware encryptor poses a significant threat to ESXi systems, with unique features that allow it to target vulnerable VM infrastructure. Sharing a substantial amount of code with the existing Royal ransomware, Blacksuit is considered a likely product of the same developer group but with improved functionalities like the ability to safely shutdown VM instances and offering configurable options for encryption process management. The malware is presently being used in limited but successful attacks, with its notable malicious techniques including using ESXi commands for partial or full file encryption, and configurable VM management.

Critical Vulnerability in OpenSSH’s Forwarded ssh-agent: Remote Code Execution Exploit

The Qualys Security Advisory uncovered a remote code execution vulnerability (CVE-2023-38408) in OpenSSH’s forwarded ssh-agent. A remote attacker with access to the server where the ssh-agent is forwarded can load and unload any shared library in the /usr/lib* directory of the local workstation, creating unintended side effects and security risks. The report demonstrated that by chaining four common side effects of shared libraries, the researchers could transform this limited primitive into a reliable remote code execution in ssh-agent, despite security measures like Address Space Layout Randomization (ASLR), Position Independent Executables (PIE), and No Execute (NX) in place.

Beijing-Linked Hackers Breach U.S. Ambassador’s Email

Hackers allegedly associated with Beijing accessed the email accounts of the U.S. ambassador to China, Nicholas Burns, and other senior Biden administration officials. The attack compromised unclassified U.S. government emails, potentially gleaning insights into U.S.-China diplomacy and policy, though the full extent is still being investigated. The breach was reportedly achieved via a vulnerability in Microsoft’s cloud-computing environment, which has since been patched, and is described as surgical in nature, targeting specific high-value victims.

Immediate Metabase Upgrade Advised Due to Severe Security Vulnerability

A significant security vulnerability, allowing an unauthenticated attacker to run arbitrary commands with the same privileges as the Metabase server, has been discovered in the Metabase software. Users of both Enterprise and open-source editions are urged to immediately upgrade to the latest patched versions provided. While no known exploitations have been detected so far, Metabase Cloud customers are already protected with patches applied and network access audited.

Zyxel Devices Exploited by DDoS Botnets to Launch Extensive Attacks

Several DDoS botnets have been exploiting a critical vulnerability (CVE-2023-28771) in Zyxel devices, allowing them to gain remote control and initiate extensive attacks. Researchers from Fortinet FortiGuard Labs have observed these activities in various regions, including Central America, North America, and parts of Asia, with the Mirai botnet variants, Dark.IoT, and the Katana botnet at the forefront. Concurrently, Cloudflare reports a rise in sophistication of DDoS attacks, including novel evasion tactics such as DNS laundering and the use of virtual machine botnets.

BundleBot Malware Targets Sensitive Data via Bogus Google AI Chatbot

The newly identified BundleBot malware is being used by threat actors to harvest sensitive information from compromised hosts, with distribution commonly conducted via Facebook Ads and compromised accounts. The malware impersonates legitimate utilities and tools, including a mimic of Google Bard, an AI chatbot, which lures victims into downloading a deceptive RAR archive. This stealthy attack uses custom-made obfuscation and junk code to resist analysis and is capable of extracting data from web browsers, capturing screenshots, and collecting Discord tokens and details from Telegram and Facebook accounts.

REvil Ransomware Resurfaces with New Variants After Months of Inactivity

After a six-month hiatus, the notorious REvil ransomware operation has re-emerged, as suggested by the analysis of new ransomware samples. These samples display modifications indicative of heavy active development and suggest that the group has regained access to REvil’s source code. The resurgence of REvil aligns with recent changes in the cyber threat landscape and emphasizes the ongoing challenge of eradicating cybercriminal groups, which often disband and rebrand to continue operations.

SophosEncrypt RaaS Deceives Security Researchers with Vendor Masquerade

The SophosEncrypt ransomware-as-a-service (RaaS) has surfaced, successfully evading detection by masquerading as cybersecurity firm Sophos. Initially perceived as a red-team exercise by Sophos, it was later identified as a true malware threat, prompting Sophos to start working on targeted detection rules for its endpoint security products. Despite its somewhat outdated functionality, the ransomware acts as a general-purpose remote access trojan (RAT) with the capability to encrypt files, generate ransom notes, and connect to past-attacked Cobalt Strike C2 servers.

HotRat Malware Leverages Pirated Software for Global Infections

A dangerous variant of the AsyncRAT malware, HotRat, is spreading through pirated versions of popular software and video games. Providing attackers with capabilities such as credential theft, cryptocurrency wallet access, screen capturing, keylogging, additional malware installation, and clipboard data control, HotRat has been prevalent since October 2022, notably in countries including Thailand, Guyana, Libya, Suriname, Mali, Pakistan, Cambodia, South Africa, and India. Distributed via torrent sites, this versatile Remote Access Trojan (RAT) contains nearly 20 commands, each capable of executing a .NET module from a remote server, hence extending its functionalities as required by the threat actors.

Storm-0558’s Microsoft Attack Broadens: Azure AD Token Forging Extended Beyond Outlook

The attack against Microsoft’s email infrastructure by Chinese nation-state actor, Storm-0558, was reportedly more extensive than initially understood. The compromised Microsoft account (MSA) consumer signing key that was used to forge Azure Active Directory (Azure AD) tokens for unauthorized access to Outlook Web Access and Outlook.com could also potentially enable access to other Azure AD applications, such as OneDrive, SharePoint, Teams, and customer applications supporting “Login with Microsoft” functionality. Given the ubiquity of Azure AD auth tokens in the Microsoft ecosystem, Wiz’s Chief Technology Officer, Ami Luttwak, described an attacker possessing an Azure AD signing key as “the most powerful attacker you can imagine,” due to their potential to access almost any app as any user.

Disclaimer: Titles and summaries are AI-generated. Please refer to the linked content for more details.