📊 2023 OpenText Cybersecurity Threat Report
News, Announcements, Tech Discussions
ESET researchers have discovered Deadglyph, a sophisticated backdoor used by the infamous Stealth Falcon group for espionage in the Middle East September 22, 2023 By Filip Jurčacko For years, the Middle East has maintained its reputation as a fertile ground for advanced persistent threats (APTs). In the midst of routine monitoring of suspicious activities on the systems of high-profile customers, some based in this region, ESET Research stumbled upon a very sophisticated and unknown backdoor that we have named Deadglyph. We derived the name from artifacts found in the backdoor (such as 0xDEADB001, shown also in Table 1), coupled with the presence of a homoglyph attack. To the best of our knowledge, this is the first public analysis of this previously undocumented backdoor, used by a group that exhibits a notable degree of sophistication and expertise. Based on the targeting and additional evidence, we attribute Deadglyph with high confidence to the Stealth Falcon APT group. >> Fu
September 22, 2023 By Ionut Ilascu Security researchers discovered a multi-step information stealing campaign where hackers breach the systems of hotels, booking sites, and travel agencies and then use their access to go after financial data belonging to customers.By using this indirect approach and a fake Booking.com payment page, cybercriminals have found a combination that ensures a significantly better success rate at collecting credit card information. >> Full Article <<
The latest BIND security updates include patches for two high-severity DoS vulnerabilities that can be exploited remotely. September 22, 2023 By Ionut Arghire The Internet Systems Consortium (ISC) has released security updates to address two remotely exploitable denial-of-service (DoS) vulnerabilities in the DNS software suite BIND.Both bugs, ISC says, reside in named – the BIND daemon that acts both as an authoritative name server and as a recursive resolver – and may cause it to terminate unexpectedly.The first of the flaws, tracked as CVE-2023-3341 (CVSS score of 7.5), is described as a stack exhaustion issue impacting the control channel message processing. The code calls for certain functions recursively, which could lead to memory exhaustion. >> Full Article <<
The newly emerged ransomware actively targets both Windows and Linux systems with a double-extortion approach. September 22, 2023 By Nathan Eddy Arika ransomware has continued to evolve since emerging as a threat in March, expanding its reach from initially targeting Windows systems to include Linux servers and employing a growing array of tactics, techniques, and procedures (TTPs).An in-depth report on Akira from LogPoint breaks down the "highly sophisticated" ransomware, which encrypts victim files, deletes shadow copies, and demands ransom payment for data recovery. The infection chain actively targets Cisco ASA VPNs lacking multifactor authentication to exploit the CVE-2023-20269 vulnerability as an entry point. >> Full Article <<
September 22, 2023 By Pierluigi Paganini The experts warn of a surge in P2PInfect botnet activity since late August 2023, they are witnessing a 600x jump between September 12 and 19, 2023.In July 2023, Palo Alto Networks Unit 42 researchers discovered a new peer-to-peer (P2P) worm called P2PInfect that targets Redis servers running on both Linux and Windows systems. The capability to target Redis servers running on both Linux and Windows operating systems makes P2PInfect more scalable and potent than other worms. The worm is written in the Rust programming language, it targets Redis instances by exploiting the Lua sandbox escape vulnerability CVE-2022-0543 (CVSS score 10.0).Cado Security Labs researchers reported to have witnessed a 600x increase in P2Pinfect traffic since August 28th. According to the researchers, traffic experienced a 12.3% surge during the week leading up to the publication of their analysis.P2Pinfect infections have been reported in China, the United States, Germa
September 22, 2023 By Bill Toulas Ethereum blockchain analytics firm Nansen asks a subset of its users to reset passwords following a recent data breach at its authentication provider.Nansen is a popular entity in the cryptocurrency space, offering users insights into Ethereum wallet activity, helping identify emerging projects, and generally helping people make informed investment decisions.In a letter sent to impacted users, Nansen says they learned on September 20t that one of their third-party vendors suffered a data breach.The unnamed vendor was compromised by an attacker who somehow gained access to an admin panel controlling Nansen customer access on the analytics platform. >> Full Article <<
No one mentioned that libwebp, a library found in millions of apps, was a 0-day origin. DAN GOODIN - 9/21/2023 Incomplete information included in recent disclosures by Apple and Google reporting critical zero-day vulnerabilities under active exploitation in their products has created a “huge blindspot” that’s causing a large number of offerings from other developers to go unpatched, researchers said Thursday.Two weeks ago, Apple reported that threat actors were actively exploiting a critical vulnerability in iOS so they could install espionage spyware known as Pegasus. The attacks used a zero-click method, meaning they required no interaction on the part of targets. Simply receiving a call or text on an iPhone was enough to become infected by the Pegasus, which is among the world’s most advanced pieces of known malware.“Huge blindspot”Apple said the vulnerability, tracked as CVE-2023-41064, stemmed from a buffer overflow bug in ImageIO, a proprietary framework that allows applications
Chinese state-sponsored threat groups have targeted telecoms, financial and government organizations in Africa as part of soft power efforts. September 22, 2023 By Eduard Kovacs Chinese state-sponsored threat groups have targeted telecommunications, financial and government organizations in Africa in support of Beijing’s soft power agenda in the region, according to SentinelOne.Earlier this year, SentinelOne reported seeing a Chinese cyberespionage group targeting telecoms providers in the Middle East as part of an operation dubbed Tainted Love.The cybersecurity firm revealed on Thursday that the same threat actor, which could be linked to China’s APT41 group, has also been observed targeting a North African telecommunications organization as part of what appears to be an operation supporting China’s soft power efforts. >> Full Article <<
September 20, 2023 By Caitlin Rawling Nearly 200,000 Pizza Hut Australia customers have had their data leaked, following a cyber attack earlier this month.On Wednesday, a spokesperson for Pizza Hut Australia told ABC it became aware of the cyber incident in early September, where an unauthorised third party accessed some of the company's data.According to DataBreaches.net, hacking group ShinyHunters are allegedly the group behind the hack.The spokesperson said the data is limited to the Australian market and does not impact Pizza Hut's operations in any other country. >> Full Article <<
TransUnion denies suffering a breach after a hacker publishes 3GB of data allegedly stolen from the credit reporting firm. September 21, 2023 By Ionut Arghire Credit reporting firm TransUnion this week denied being breached, after a hacker published online 3Gb of information allegedly stolen from the company’s systems.TransUnion’s announcement comes two days after a threat actor using the moniker ‘USDoD’ published on a cybercrime forum a database allegedly containing the information of roughly 58,000 individuals.The leaked personally identifiable information included name, sex, date and place of birth, age, employer, passport data, financial transaction details, credit score, and more. >> Full Article <<
Researchers Say Breach Illustrates Why Schools Are Major Targets for Cybercriminals September 21, 2023 By Marianne Kolbasuk McGee An Ohio community college is notifying 290,000 people of a data theft breach this spring that may have compromised their personal, financial and health information.In a breach notification Wednesday, Lakeland Community College did not provide any details on the attack, which occurred between March 7 and March 31, but the Vice Society ransomware group earlier this year had listed the college on its data leak website."This particular ransomware operation seemed to focus on the education sector - presumably because they found it to be a lucrative niche," said Brett Callow, a threat analyst at security firm Emsisoft. >> Full Article <<
September 21, 2023 By Sead Fadilpašić Hackers are targeting large corporations with ValleyRAT (Image credit: Shutterstock) A new malware strain called ValleyRAT is being deployed among large organizations around the world, researchers have warned.Cybersecurity experts from Proofpoint published a report alleging that Chinese businesses on the mainland, but also other firms elsewhere, are being targeted by multiple new malware strains, possibly used by more than one new threat actor.Among those is a new tool called ValleyRAT: “The campaigns distributing this malware were conducted in Chinese, and, following the trend of other Chinese malware campaigns, the majority used invoice themes related to various Chinese businesses,” the researchers said, stating that they saw multiple campaigns distributing this particular malware. >> Full Article <<
Cisco will boost its cybersecurity capabilities by shelling out $28 billion to buy Splunk, which Cisco says will drive the next generation of AI-enabled security and observability. September 21, 2023 By Eduard Kovacs Cisco on Thursday announced that it has entered into a definitive agreement to acquire data analysis, security and observability solutions provider Splunk (NASDAQ: SPLK) in a deal valued at $28 billion. The networking giant is prepared to pay $157 per share in cash for Splunk, with the acquisition expected to close by the end of the third quarter calendar year 2024. Cisco said the deal will help accelerate revenue growth and gross margin expansion.Following the acquisition, Splunk President and CEO Gary Steele will join Cisco’s executive team and will report to Cisco CEO and Chair Chuck Robbins. >> Full Article <<
A financially motivated threat actor uses known vulnerabilities, ordinary TTPs, and off-the-shelf tools to exploit the unprepared, highlighting the fact that many organizations still don't focus on the security basics. September 21, 2023 By Nate Nelson A initial access broker (IAB) is still running rampant despite being tracked for seven years by researchers, and despite striking up a predictable tune when it comes to the tools and tactics used to compromise organizations (and pave the way for follow-on ransomware attacks).Between July 2020 and July 2022, Secureworks identified five separate intrusions by the group it tracks as "Gold Melody" (aka UNC961 to Mandiant, and Prophet Spider to CrowdStrike). Each of the attacks was snuffed out early, thanks in part to the group's extensive yet predictable tactics, techniques, and procedures (TTPs), researchers have noted.Yet to Rafe Pilling, director of threat research for Secureworks' Counter Threat Unit, "the thing that stood out is they
September 21, 2023 By Pierluigi Paganini Exail Technologies, a high-tech manufacturer whose clients include the US Coast Guard, exposed sensitive company data that could’ve enabled attackers to access its databases.Exail, a French high-tech industrial group, left exposed a publicly accessible environment (.env) file with database credentials, the Cybernews research team has discovered.The company, formed in 2022 after ECA Group and iXblue merged, specializes in robotics, maritime, navigation, aerospace, and photonics technologies, making it a particularly juicy target for attackers.The company fixed the issue after being contacted by our research team. We reached out to Exail for further comment but did not receive a response before publishing. >> Full Article <<
September 21, 2023 By Bill Toulas A previously unknown threat actor dubbed 'Sandman' targets telecommunication service providers in the Middle East, Western Europe, and South Asia, using a modular info-stealing malware named 'LuaDream.'This malicious activity was discovered by SentinelLabs in collaboration with QGroup GmbH in August 2023, who named the threat actor and malware after the backdoor's internal name of 'DreamLand client.'The operational style of Sandman is to keep a low profile to evade detection while performing lateral movement and maintaining long-term access to breached systems to maximize its cyberespionage operations. >> Full Article <<
By Shunichi Imano and James Slaughter | September 21, 2023 On a bi-weekly basis, FortiGuard Labs gathers data on ransomware variants of interest that have been gaining traction within our datasets and the OSINT community. The Ransomware Roundup report aims to provide readers with brief insights into the evolving ransomware landscape and the Fortinet solutions that protect against those variants.This edition of the Ransomware Roundup covers the Retch and S.H.O ransomware.Affected platforms: Microsoft WindowsImpacted parties: Microsoft Windows UsersImpact: Encrypts and exfiltrates victims’ files and demands ransom for file decryptionSeverity level: High Retch Ransomware OverviewRetch is a new ransomware variant first discovered in mid-August 2023. It encrypts files on compromised machines and leaves two ransom notes asking victims to pay a ransom for file decryption. >> Full Article <<
