Greetings and welcome to our weekly cybersecurity newsletter. We understand that keeping up with the constantly changing world of 🔐 cybersecurity can be daunting, but our goal is to provide you with relevant and actionable information to help you stay one step ahead of potential threats.
In this week’s edition, we’ll cover recent cyber attacks, new vulnerabilities, and the latest cybersecurity tools. We’ll explore how organizations can protect themselves against these vulnerabilities and share the newest tools available to strengthen their cybersecurity.
Whether you’re an IT professional, business owner, or simply interested in staying informed about the latest cybersecurity news, we hope you find this newsletter informative and valuable.
💻 Upcoming Cybersecurity Webinar: We are excited to announce an upcoming webinar titled “Inside the High Risk of 3rd-Party SaaS Apps“, which will shed light on the potential cybersecurity risks associated with third-party software as a service (SaaS) applications. Don’t miss this opportunity to learn from industry experts and stay up-to-date on the latest cybersecurity threats. Register now and secure your spot for this informative session.
A new and sophisticated malware called HiatusRAT has been discovered targeting business-grade routers in Latin America, Europe, and North America since July 2022. HiatusRAT enables the attacker to remotely access the infected system and turn it into a covert proxy to spy on victims. The malware also deploys a variant of tcpdump to capture packet capture on the target device. The threat primarily targets end-of-life DrayTek Vigor router models 2960 and 3900, with approximately 100 internet-exposed devices compromised as of mid-February 2023, impacting various industries such as pharmaceuticals, IT services/consulting firms, and municipal government. Interestingly, the small number of impacted devices indicates that the attacker is intentionally maintaining a minimal footprint to limit exposure.
- Keep Router Software Up-to-Date: Routinely check for and install any available firmware or software updates for your router to patch any known vulnerabilities that could be exploited by cybercriminals.
- Implement Strong Passwords and Authentication: Use complex passwords and multi-factor authentication to secure your router, as weak or default login credentials can be easily guessed or brute-forced by attackers.
- Regularly Monitor Network Traffic: Stay vigilant and monitor your network traffic for any signs of suspicious activity, such as unusual or unauthorized devices connected to your router, to quickly detect any potential threats.
A group of experts from the KTH Royal Institute of Technology has discovered a flaw in CRYSTALS-Kyber, one of the post-quantum algorithms chosen by the U.S. government to protect against quantum computing threats. The vulnerability lies in a specific implementation of the encryption algorithm, which can be exploited through side-channel attacks. These attacks use physical parameters, such as supply current or electromagnetic emissions, to extract sensitive information like encryption keys and ciphertext.
Xenomorph, a notorious Android banking trojan, has resurfaced with a new and improved variant that is even more powerful and efficient in carrying out financial fraud. According to cybersecurity experts, this updated version, known as Xenomorph 3rd generation, boasts new capabilities that enable it to seamlessly target over 400 banking and financial institutions, including cryptocurrency wallets. The trojan’s advanced runtime engine, which is powered by Accessibility services, allows it to implement a complete ATS framework, making it an even bigger threat to users’ financial security.
To protect yourself against the threat posed by Xenomorph 3rd generation and other similar malware, here are three cybersecurity tips:
- Avoid downloading apps from untrusted sources: Only download apps from the Google Play Store or other trusted app stores to reduce the risk of downloading malware.
- Keep your operating system and apps updated: Ensure that your Android device is running on the latest operating system and that all your apps are up-to-date. This helps to patch any security vulnerabilities that could be exploited by cybercriminals.
- Use antivirus software: Invest in reputable antivirus software to detect and remove any malware that may be present on your device. Make sure to run regular scans to ensure that your device is free from any malicious software.
The Trusted Platform Module (TPM) 2.0 reference library specification has been found to have two serious security defects that could potentially lead to information disclosure or privilege escalation. The vulnerabilities, discovered by cybersecurity firm Quarkslab, could be triggered by sending malicious commands to a TPM 2.0 firmware. The flaws could affect billions of devices, including those used by large tech vendors, organizations using enterprise computers, servers, IoT devices, and embedded systems. TPM is a hardware-based solution that provides secure cryptographic functions and physical security mechanisms to resist tampering efforts. Users are advised to apply updates released by TCG and other vendors to address the flaws and mitigate supply chain risks.
IceFire Ransomware is a Windows-based malware that has recently shifted its focus to target Linux enterprise networks of media and entertainment sector organizations worldwide. The malware uses a vulnerability in IBM Aspera Faspex file-sharing software to gain access to the targeted networks. The attacks have mostly targeted companies located in countries that are not typically targeted by organized ransomware groups. This strategic shift is a significant move that aligns IceFire with other ransomware groups targeting Linux systems. To prevent against such attacks, here are three cybersecurity tips:
- Use strong passwords: Create complex and unique passwords for all accounts, use two-factor authentication wherever possible, and avoid using the same password across multiple accounts.
- Backup data regularly: Ensure that data is backed up regularly and stored offsite in case of a ransomware attack, so that it can be restored without paying the ransom.
Lucky Mouse, the notorious threat actor, has developed a Linux version of the malware toolkit called SysUpdate, which has new evasion tactics that make it difficult to detect and reverse engineer. This expansion on the existing threat highlights the need for increased vigilance in cybersecurity practices. Lucky Mouse has a history of utilizing various malware, including SysUpdate, HyperBro, and PlugX, and has orchestrated campaigns through supply chain compromises of legitimate apps.
A critical security alert has been issued for Jenkins, the open-source automation server, as a pair of severe security vulnerabilities have been found that could allow code execution attacks. Dubbed CorePlague, the vulnerabilities affect all versions of Jenkins before 2.319.2, and they impact the Jenkins server and Update Center. According to cloud security firm Aqua, exploiting these flaws can allow an unauthenticated attacker to execute arbitrary code on the victim’s Jenkins server, potentially leading to a complete compromise. This could result in devastating consequences, including loss of sensitive data, website crashes, and cybercriminals gaining unauthorized access to computer systems.
To prevent against this threat, here are three brief cybersecurity tips:
- Keep Jenkins updated: Always keep Jenkins up-to-date with the latest patches and security updates to avoid falling prey to known vulnerabilities.
- Use plugin whitelisting: Restrict plugin installation to only those approved by the administrator. This way, only trusted plugins will be installed, reducing the risk of malicious plugins being installed and executed.
- Use multi-factor authentication: This extra layer of security will help thwart attacks that use stolen credentials, as cybercriminals will need to have access to the user’s device or phone to log in. Therefore, using multi-factor authentication can significantly reduce the risk of unauthorized access to the Jenkins server.
Fortinet, a leading cybersecurity solutions provider, has released a patch to fix a critical flaw that could potentially grant hackers remote access to affected systems. The vulnerability, tracked as CVE-2023-25610, has a severity score of 9.3 out of 10 and affects both FortiOS and FortiProxy. The flaw, discovered by Fortinet’s security teams, is caused by a buffer underwrite issue that allows attackers to execute arbitrary code and perform a Denial of Service (DoS) on the GUI. To prevent against such threats, here are three cybersecurity tips:
- Implement access control measures: Use strong passwords, two-factor authentication, and limit access to administrative interfaces to authorized personnel only.
- Deploy security solutions: Deploy firewalls, intrusion detection and prevention systems, and antivirus software to mitigate attacks that may exploit known vulnerabilities. Additionally, conduct regular security audits and penetration testing to identify and address potential vulnerabilities before they can be exploited.
Shein’s Android app has been caught transmitting users’ clipboard data to remote servers due to a bug in an older version of the app. The Microsoft 365 Defender Research Team discovered the issue in December 2021, and it has since been addressed. Shein’s app has over 100 million downloads on the Google Play Store, but the company has stated that there was no malicious intent behind the behavior. Google has made recent improvements to Android to prevent apps from accessing clipboard data unless it’s actively running in the foreground. To prevent this threat, here are three cybersecurity tips:
- Be mindful of app permissions: Before installing an app, check its permissions and only grant the necessary ones. If an app requests access to sensitive data, such as your camera or microphone, and it’s not necessary for the app to function, it’s better to deny it.
- Use a clipboard manager: Clipboard managers allow you to keep track of what’s in your clipboard and even enable you to clear it with one click. Using a clipboard manager can prevent apps from accessing data that you’ve copied to your clipboard.
LastPass, a well-known password management service, suffered a massive data breach between August and October 2022. The breach was caused by an engineer’s failure to update Plex on their home computer, which left a vulnerability unpatched for nearly three years, allowing hackers to execute arbitrary Python code and steal the engineer’s credentials. The intruders then used these credentials to breach LastPass’s cloud storage environment, stealing partially encrypted password vault data and customer information.
This unfortunate incident serves as a reminder of the importance of keeping all software up-to-date, as even a small oversight can result in significant consequences.
Law enforcement authorities from Germany and Ukraine, with the help of Dutch National Police and the FBI, have targeted suspected core members of the DoppelPaymer ransomware gang responsible for large-scale attacks. On February 28, 2023, a German national’s house was raided, searches were conducted in the Ukrainian cities of Kiev and Kharkiv, and a Ukrainian national was interrogated. The exact role of the suspects and their links to other accomplices are still being determined. Additionally, German authorities have issued arrest warrants against three alleged DoppelPaymer operatives who are said to be the “masterminds of the criminal group.” This action is a significant blow against DoppelPaymer and a step towards improving cybersecurity.
A new post-exploitation framework called EXFILTRATOR-22, or EX-22, has recently been discovered by cybersecurity experts. This framework is specifically designed to deploy ransomware within enterprise networks, while remaining undetected by antivirus software. EX-22 is being advertised as a fully undetectable malware, making it an attractive option for criminal actors looking to exploit enterprise networks. The malware has a range of capabilities, including logging keystrokes, uploading and downloading files, and even starting a live VNC session for real-time access. The cybersecurity firm CYFIRMA believes that the threat actors responsible for creating the malware are likely former affiliates of the LockBit ransomware enterprise based in North, East, or Southeast Asia.
We hope that the information and insights shared here have been informative and valuable to you.
As always, we encourage you to stay vigilant and take proactive measures to protect yourself and your organization from potential cyber threats. Be sure to follow best practices for password management, keep your software and systems up-to-date, and stay informed about the latest threats and vulnerabilities.
If you have any feedback or suggestions for future topics you’d like us to cover, please don’t hesitate to reach out to us. We value your input and are always looking for ways to improve our newsletter and better serve our readers.
Thanks again for reading, and we look forward to bringing you more valuable insights and information in our next edition. Stay safe and secure!