29-Aug-24: In Security News Today

Blackbyte Ransomware Still Capitalizing On Known Vmware ESXi Flaw

Despite repeated warnings, the ransomware group BlackByte is actively exploiting an authentication bypass vulnerability in VMware ESXi, allowing them to gain full control over virtual machines hosted by the software. Researchers from Cisco Talos have observed that the group quickly adapted to this flaw, leveraging compromised credentials and weak security practices to escalate privileges and deploy ransomware, particularly targeting manufacturing organizations. The continued exploitation underscores the urgency for organizations to apply available patches, as only a fraction of BlackByte’s attacks are publicly disclosed, indicating a higher level of activity than reported.

Tehran’s State-Sponsored Hackers Helping Cybergangs Deploy Ransomware

Iran’s state-sponsored cyber actors are selling unauthorized access to victim organizations after conducting espionage, collaborating with ransomware groups like NoEscape, Ransomhouse, and ALPHV to facilitate encryption operations in exchange for ransom payments. The FBI has identified these actors as using a wide range of cyber tools, including exploiting vulnerabilities in internet-facing systems, deploying backdoors, and maintaining persistence through compromised accounts, while remaining intentionally vague about their Iranian origins. US cyber authorities recommend organizations implement specific mitigations to protect against these threats, emphasizing that paying ransom only encourages further criminal activity.

Russian Apt29 Hackers Use Ios, Chrome Exploits Created By Spyware Vendors

Russian state-sponsored APT29 hackers have been exploiting iOS and Android vulnerabilities originally developed by commercial spyware vendors like NSO Group and Intellexa, targeting Mongolian government websites between November 2023 and July 2024. Despite the flaws being patched, the group effectively used these n-day vulnerabilities on unupdated devices, employing advanced “watering hole” tactics to steal sensitive data. The origin of these exploits within APT29’s arsenal remains unclear, raising concerns about the flow of zero-day vulnerabilities from commercial vendors to state-backed threat actors.

U.S. Agencies Warn Of Iranian Hacking Group’s Ongoing Ransomware Attacks

U.S. agencies have identified an Iranian hacking group, known as Pioneer Kitten and associated with the Iranian government, that has been conducting ransomware attacks and espionage operations against various sectors in the U.S., including education, finance, healthcare, and defense. The group collaborates with ransomware affiliates to monetize network access, utilizing vulnerabilities in internet-facing assets to gain entry and deploy ransomware. Additionally, Iranian cyber actors such as Peach Sandstorm have been observed conducting espionage through custom backdoors and leveraging social engineering tactics, posing significant threats to global cybersecurity.

Ransomware Gang Leaks Data Allegedly Stolen From Microchip Technology

The Play ransomware group has leaked over 5GB of data allegedly stolen from US semiconductor supplier Microchip Technology, affecting its manufacturing operations and order fulfillment. The leaked archives reportedly include sensitive personal and financial information. The group threatens to release additional data unless a ransom is paid, highlighting a growing trend of ransomware attacks targeting critical infrastructure.

South Korean Apt Exploits 1-Click Wps Office Bug, Nabs Chinese Intel

South Korean APT-C-60 exploited a critical vulnerability in WPS Office, leveraging an insecure plug-in component to deploy a custom backdoor, “SpyGlace,” for espionage against Chinese targets. This vulnerability, tracked as CVE-2024-7262, allowed remote code execution through a malicious MHTML file, and was compounded by a second flaw, CVE-2024-7263, which remained unpatched for some time. WPS Office users are advised to update immediately to mitigate these high-severity risks.

Vietnamese Human Rights Group Targeted In Multi-Year Cyberattack By APT32

A non-profit advocating for Vietnamese human rights has been under a multi-year cyberattack attributed to APT32, a threat group linked to Vietnam. The attackers have used various malware, including Cobalt Strike Beacons and reconnaissance payloads, across multiple compromised hosts to collect sensitive data. This persistent threat aligns with APT32’s history of targeting organizations in East Asia for cyber espionage and intellectual property theft.

North Korean Hackers Launch New Wave Of NPM Package Attacks

North Korean threat groups have intensified their attack on the npm ecosystem, deploying malicious packages such as temp-etherscan-api and telegram-con to infiltrate developer environments and exfiltrate sensitive data. These packages use sophisticated techniques including obfuscated JavaScript and multi-stage malware to establish persistence and steal information from cryptocurrency wallet extensions. The attacks, which began on August 12, 2024, reveal a coordinated campaign exploiting npm’s trust to compromise developer systems and potentially steal assets, with recent packages like helmet-validate and sass-notification continuing the trend.

Russian Hackers Exploit Safari And Chrome Flaws In High-Profile Cyberattack

Russian state-backed hackers, attributed to APT29, have exploited recently patched vulnerabilities in Apple Safari and Google Chrome to deploy information-stealing malware via watering hole attacks on Mongolian government websites. The exploits, including CVE-2023-41993, CVE-2024-4671, and CVE-2024-5274, were used to compromise devices and extract browser cookies and data, with similarities to methods used by commercial surveillance vendors. The attacks highlight ongoing risks from n-day exploits and emphasize the effectiveness of watering hole tactics in targeting unpatched devices.

Disclaimer: Titles and summaries are AI-generated. Please refer to the linked content for more details.