31-Aug-23: In Security News Today

Russian Disinformation Campaign Spoofs Major News Outlets to Undermine Western Support for Ukraine

A Russian disinformation campaign known as ‘Operation Doppelganger’ has been found spreading fake articles posing as legitimate stories from major media outlets, including The Washington Post and Fox News. The campaign aims to undermine Western support for Ukraine amid the Russian-Ukraine War. The operation uses spoofed domains and real journalists’ bylines to make the stories appear authentic, and Meta has called for action to address domain registration abuse and assist organizations in taking down abusive domains.

Mozilla and Google Release Updates to Address High-Severity Vulnerabilities in Firefox and Chrome

Mozilla and Google have released stable updates for Firefox and Chrome to address several high-severity vulnerabilities, including memory corruption issues. Mozilla’s Firefox 117 includes patches for 13 vulnerabilities, including memory corruption bugs and an integer overflow issue. Google’s Chrome update resolves a use-after-free flaw in MediaStream that could potentially lead to remote code execution.

Exploitation of Recent Juniper Flaws Begins After PoC Exploit Code Publication

Threat actors have started exploiting four recently patched vulnerabilities in Juniper Networks’ Junos OS after proof-of-concept (PoC) exploit code was published online. The vulnerabilities, which can be used to control environment variables remotely and upload arbitrary files without authentication, were rated as ‘critical severity’ by Juniper Networks. The attacks are related to the PoC exploit published by WatchTowr on August 25, and cybersecurity experts are urging administrators to update their affected firewalls and switches to the latest firmware releases.

Dangling DNS Used to Hijack Subdomains of Major Organizations

Researchers from Certitude Consulting have demonstrated the potential risk of dangling DNS records by hijacking subdomains belonging to over a dozen major organizations. They warn that thousands of entities are vulnerable to such attacks. Dangling DNS occurs when a DNS CNAME record points to a subdomain that no longer exists, allowing a malicious actor to register the subdomain and take control of the content it serves. Certitude believes that organizations and cloud services providers both have a responsibility to prevent subdomain hijacking.

Data Breach at Fashion Retailer Forever 21 Impacts Over 500,000 Individuals

Fashion retailer Forever 21 has notified over 500,000 individuals that their personal information was compromised in a data breach earlier this year. The breach, which occurred between January and March, exposed names, birth dates, Social Security numbers, bank account numbers, and health plan data. While the company claims there is no evidence of misuse, the stolen information could be used in phishing and other malicious attacks.

Earth Estries’ Espionage Campaign Targets Governments and Tech Titans Across Continents

A hacking group known as Earth Estries has been conducting a cyber espionage campaign targeting government and technology industries in multiple countries. The group has been active since at least 2020 and shares similarities with other nation-state groups. They use various tactics, including leveraging Cobalt Strike and abusing public services, to gain access to and control over compromised environments.

Lawsuit Accuses University of Minnesota of Not Doing Enough to Prevent Data Breach

A lawsuit has been filed against the University of Minnesota, accusing them of not adequately protecting personal information from a recent data breach. The lawsuit claims that the university had the capability to prevent the breach. The university has acknowledged the breach and is currently being investigated by the FBI and the Minnesota Bureau of Criminal Apprehension.

Multiple High-Severity Vulnerabilities Patched in Splunk Enterprise and IT Service Intelligence

Splunk has released patches for multiple high-severity vulnerabilities in Splunk Enterprise and IT Service Intelligence. The vulnerabilities include remote code execution, command injection, cross-site scripting, absolute path traversal, and privilege escalation issues. Splunk also patched an unauthenticated log injection bug in IT Service Intelligence. No evidence of exploitation has been reported, but users are advised to update to the latest versions to mitigate these vulnerabilities.

Joint Report by Five Eyes Agencies on Russian State-Sponsored Malware Targeting Ukrainian Military Android Devices

Five Eyes agencies, including the UK’s NCSC, the US’s NSA, CISA, and FBI, New Zealand’s NCSC-NZ, Canada’s Centre for Cyber Security, and Australia’s ASD, have released a joint report on the Infamous Chisel malware used by Russian state-sponsored hackers to target Android devices belonging to the Ukrainian military. The malware, attributed to the Sandstorm threat actor linked to Russia’s GRU, provides persistent backdoor access to compromised devices over the Tor network and allows for data exfiltration. The report includes technical details, MITRE ATT&CK information, and indicators of compromise (IoCs) for each component of the malware.

North Korean Hackers Deploy New Malicious Python Packages in PyPI Repository

Three rogue Python packages have been discovered in the PyPI repository as part of a malicious software supply chain campaign called VMConnect, believed to be orchestrated by North Korean state-sponsored threat actors. The packages use typosquatting techniques to impersonate popular open-source Python tools and confuse developers. The packages contain code that runs in an endless execution loop, collects information about infected machines, and communicates with a command-and-control server, potentially downloading further malware. The campaign is linked to previous attacks attributed to North Korean actors and highlights the continued use of the PyPI repository as a distribution point for malware.

Numbers Don’t Lie: Exposing the Harsh Truths of Cyberattacks in New Report

BlackBerry’s Threat Research and Intelligence Team analyzed 90 days of real-world data and found that their AI-powered endpoint protection solution detected and blocked a total of 1,578,733 malware-based cyberattacks targeting customers. The report also revealed that financial institutions, healthcare services and equipment, and food and staples retailers were the most-targeted industries during the study period. The emergence of cybersecurity’s third generation, fueled by advances in artificial intelligence and machine learning, is expected to help organizations defend against fast-moving and sophisticated cyberthreats.

Chinese Group Distributes Android Spyware via Trojan Signal, Telegram Apps

A China-based advanced persistent threat group known as GREF is distributing the BadBazaar Android spyware to users in multiple countries through Trojanized versions of the Signal and Telegram messaging apps. Thousands of users have downloaded the malicious apps from various sources, including Google’s Play Store and Samsung’s Galaxy Store. The spyware can exfiltrate device and user information and enable the threat actor to spy on communications, posing a significant threat to individuals and enterprises.

Vulnerability in WordPress Migration Plugin Exposes Websites to Attacks

A vulnerability in the All-in-One WP Migration plugin’s extensions has been discovered, potentially exposing WordPress websites to attacks that could lead to sensitive information disclosure. The vulnerability, tracked as CVE-2023-40004, allows an unauthenticated attacker to manipulate the access token configuration of the affected extensions, resulting in potential information disclosure or restoration of a malicious backup. The issue has been patched by ServMask, the plugin’s maintainer, and users are advised to update to the latest versions of the affected extensions.

Adversaries Exploit RocketMQ Bug to Revive DreamBus Bot

The RocketMQ server vulnerability, CVE-2023-33246, has been targeted by multiple threat actors to deploy the DreamBus crypto bot. DreamBus, previously dormant, has resurfaced with the objective of installing a Monero cryptocurrency miner. However, researchers warn that the modular nature of DreamBus could allow cybercriminals to diversify their attacks and deliver other forms of malware in the future.

SapphireStealer Malware: A Gateway to Espionage and Ransomware Operations

SapphireStealer is an open-source .NET-based information stealer malware that is being used by multiple entities to enhance its capabilities and create customized variants. This type of malware can be used to obtain sensitive information, including corporate credentials, which can then be resold to other threat actors for additional attacks such as espionage or ransomware. The publication of SapphireStealer’s source code has made it difficult to detect, and threat actors are continuously improving its efficiency and effectiveness.

Kinsing Group Exploits OpenFire Vulnerability to Launch Cyberattacks

The Kinsing threat group has been launching over 1,000 cyberattacks in less than two months by exploiting a security vulnerability in the Openfire enterprise messaging application. The attackers create unauthenticated admin users, gain full control of Openfire cloud servers, and upload malware and a Monero cryptominer. Enterprises are urged to identify if their Openfire instances are vulnerable, patch and secure them, and deploy runtime detection and response solutions to identify anomalies and malicious activities.

Cybercriminals Team Up to Upgrade ‘SapphireStealer’ Malware

Cybercriminals are collaborating to enhance the capabilities of an open source infostealer called ‘SapphireStealer,’ resulting in the development of numerous variants. This has democratized the cybercrime landscape and increased the potential for data theft attacks. The malware is being continuously improved, attracting more attackers and potentially leading to more dangerous consequences, such as higher-impact attacks and espionage. Organizations need to be aware of the evolving threat landscape and the interlinking nature of different cyber threats.

Disclaimer: Titles and summaries are AI-generated. Please refer to the linked content for more details.