📊 2023 OpenText Cybersecurity Threat Report
News, Announcements, Tech Discussions
September 6, 2023 By Pierluigi Paganini Google released September 2023 Android security updates to address multiple flaws, including an actively exploited zero-day.Google released September 2023 Android security updates that address tens of vulnerabilities, including a zero-day flaw tracked as CVE-2023-35674 that was actively exploited in the wild.This high-severity vulnerability CVE-2023-35674 resides in the Framework component, a threat actor could exploit the issue to escalate privileges without requiring user interaction or additional execution privileges.“There are indications that CVE-2023-35674 may be under limited, targeted exploitation.” reads the advisory published by Google.The company also addressed three critical remote code execution vulnerabilities, tracked as CVE-2023-35658, CVE-2023-35673, CVE-2023-35681, in the System component. >> Full Article <<
September 6, 2023 By Sergiu Gatlan Microsoft says Storm-0558 Chinese hackers stole a signing key used to breach government email accounts from a Windows crash dump after compromising a Microsoft engineer's corporate account.The attackers used the stolen MSA key to breach the Exchange Online and Azure Active Directory (AD) accounts of roughly two dozen organizations, including government agencies in the United States, such as the U.S. State and Commerce Departments.They exploited a now-patched zero-day validation issue in the GetAccessTokenForResourceAPI, which enabled them to forge signed access tokens and impersonate accounts within the targeted orgs. >> Full Article <<
September 5, 2023 By Brian Krebs In November 2022, the password manager service LastPass disclosed a breach in which hackers stole password vaults containing both encrypted and plaintext data for more than 25 million users. Since then, a steady trickle of six-figure cryptocurrency heists targeting security-conscious people throughout the tech industry has led some security experts to conclude that crooks likely have succeeded at cracking open some of the stolen LastPass vaults.Taylor Monahan is lead product manager of MetaMask, a popular software cryptocurrency wallet used to interact with the Ethereum blockchain. Since late December 2022, Monahan and other researchers have identified a highly reliable set of clues that they say connect recent thefts targeting more than 150 people, Collectively, these individuals have been robbed of more than $35 million worth of crypto.Monahan said virtually all of the victims she has assisted were longtime cryptocurrency investors, and security-mind
September 5, 2023 By Bill Toulas The Chaes malware has returned as a new, more advanced variant that includes a custom implementation of the Google DevTools protocol for direct access to the victim's browser functions, allowing it to steal data using WebSockets.The malware first appeared in the wild in November 2020, targeting e-commerce clients in Latin America. Its operations significantly expanded by late 2021 when Avast observed it using 800 compromised WordPress sites to distribute the malware.Upon infection, Chaes installs malicious extensions in the victim's Chrome browser to establish persistence, captures screenshots, steals saved passwords and credit cards, exfiltrates cookies, and intercepts online banking credentials. >> Full Article <<
September 4, 2023 By Pierluigi Paganini The social media site X announced that it will collect premium users’ biometric data for security and identification purposes.The social media platform X (formerly known as Twitter) has updated its privacy policy informing its premium users that the company will collect their biometric data to curb fraud and prevent impersonation.Bloomberg first reported the news and confirmed that the change will only impact premium users. The news was also reported by TheHackerNews.“Basically, certain information is necessary if you want to use many of our products and services.” reads the updated privacy policy. “Biometric Information. Based on your consent, we may collect and use your biometric information for safety, security, and identification purposes.” >> Full Article <<
September 5, 2023 By Bill Toulas An Atlas VPN zero-day vulnerability affecting the Linux client leaks a user's real IP address simply by visiting a website.Atlas VPN is a VPN product that offers a cost-effective solution based on WireGuard and supports all major operating systems.In a proof of concept exploit shared on Reddit, a researcher describes how the Linux client of Atlas VPN, specifically the latest version, 1.0.3, has an API endpoint that listens on localhost (127.0.0.1) over port 8076.This API offers a command-line interface (CLI) for performing various actions, such as disconnecting a VPN session using the http://127.0.0.1:8076/connection/stop URL. >> Full Article <<
September 5, 2023 By Pierluigi Paganini A distributed denial-of-service (DDoS) attack took the site of the German Federal Financial Supervisory Authority (BaFin) down.A distributed denial-of-service (DDoS) attack took the site of the German Federal Financial Supervisory Authority (BaFin) down for some days.It is not clear who is behind the DDoS attack, but the media speculate that it was launched by pro-Russian hacktivists in response to the German financial and military support to Ukraine.The BaFin website was included in January in a list of targets published by the pro-Russia group Killnet on its Telegram channel. >> Full Article <<
Because living-off-the-land (LotL) attacks masquerade as frequently used, legitimate companies, they are very difficult to block and detect. September 5, 2023 By Troy Gill What began as malware utilizing native applications and processes to hide malicious activity, living-off-the-land (LotL) attacks have evolved over the years. LotL phishing has become an increasingly popular method for attackers to infiltrate a legitimate third-party service (to exploit trust) and use their tools to mask and conduct malicious activities. Since the services targeted are frequently used for legitimate purposes, in most cases, they cannot be blocked outright and are hard for end users to detect.This year alone, ubiquitous brands including QuickBooks and Adobe were leveraged once again in clever LotL phishing attacks. Qakbot distributors were on the attack with new campaigns leveraging conversation hijacking attacks (CHAs) and the implied trust of previous email threads. An alternative variant of GuLoa
September 5, 2023 By Mark Stockley Researchers at the University of Wisconsin–Madison have demonstrated that Chrome browser extensions can steal passwords from the text input fields in websites, even if the extension is compliant with Chrome's latest security and privacy standard, Manifest V3.To prove it, they created a proof of concept browser extension that could steal passwords and put it through the Chrome Web Store review process.Browser extentions are small applications like ad blockers and password managers that extend the capabilities of browsers. In order to do what they do they enjoy a high degree of access to both the web browser and the pages the browser displays. This creates a significant challenge for vendors like Google.On the one hand, the more access browser extensions enjoy, the more they can do and the more useful and featureful they can be. On the other hand, extensions are made by third-parties who may or may not be trustworthy, and the more access they have, th
By Xiaopeng Zhang | September 05, 2023 Affected platforms: Microsoft WindowsImpacted parties: Windows UsersImpact: Collects sensitive information from a victim’s computerSeverity level: Critical Our FortiGuard Labs captured a phishing campaign that spreads a new Agent Tesla variant. This well-known malware family uses a .Net-based Remote Access Trojan (RAT) and data stealer to gain initial access. It is often used for Malware-as-a-Service (MaaS).I performed an in-depth analysis of this campaign, from the initial phishing email to the actions of Agent Tesla installed on the victim’s machine to the collecting of sensitive information from the affected device. In this analysis, you will learn about the contents of this attack, such as how the phishing email starts the campaign, how the CVE-2017-11882/CVE-2018-0802 vulnerability (and not the VBS macro) is exploited to download and execute the Agent Tesla file on the victim’s device, as well as how Agent Tesla collects the sensitive data fr
September 4, 2023 By Sergiu Gatlan Microsoft reminded users that insecure Transport Layer Security (TLS) 1.0 and 1.1 protocols will be disabled soon in future Windows releases.The TLS secure communication protocol is crafted to safeguard users against eavesdropping, tampering, and message forgery while exchanging and accessing information over the Internet through client/server applications.The original TLS 1.0 specification and its TLS 1.1 successor have been used for nearly two decades, with TLS 1.0 initially introduced in 1999 and TLS 1.1 in 2006).Following extensive discussions and the development of 28 protocol drafts, the Internet Engineering Task Force (IETF) approved in March 2018 the next major version of the TLS protocol, TLS 1.3. >> Full Article <<
September 4, 2023 By Guru Recent reports suggest threat actors have used phishing emails to distribute fileless malware. The attachment consists of a .hta (HTML Application) file, which can be used for deploying other malware like AgentTesla, Remcos, and LimeRAT.This fileless malware is a Portable Executable (PE) format, which gets executed without creating the file on the victim’s system. The phishing email has the body context stating a bank transfer notice. In addition to the email, the email has an attachment with an ISO image embedded with a .hta script file. This file runs using the mshta.exe (Microsoft HTML Application). >> Full Article <<
September 4, 2023 By Aina Ojonugwa Stake.com, the world’s largest cryptocurrency casino and sports betting platform, has reportedly fallen victim to a cyber-attack, resulting in a big loss of $41.3 million.First flagged by analyst Cyvers, the incident involves a reported private key leak that enabled the withdrawal of $15.7 million in ether (ETH) from Stake’s Ethereum wallet.Crypto Sleuth ZachXBT shared the figure, adding that $15.7 million in ETH was taken along with $25.6 million stolen from Stake’s Polygon and Binance Smart Chain wallets. The funds have been converted to ETH and sent to various external wallets. >> Full Article <<
Exploit code and root-cause analysis released by SinSinology documents the problem as a case where VMWare “forgot to regenerate” SSH keys. September 1, 2023 By Ryan Naraine Just days after shipping a major security update to correct vulnerabilities in its Aria Operations for Networks product line, VMWare is warning that exploit code has been published online.In an updated advisory, the virtualization technology giant confirmed the public release of exploit code that provides a roadmap for hackers to bypass SSH authentication and gain access to the Aria Operations for Networks command line interface.The exploit code and root-cause analysis, released by SinSinology researcher Sina Kheirkhah, documents the problem as a case where VMWare “forgot to regenerate” SSH keys. >> Full Article <<
September 4, 2023 By Sergiu Gatlan Freecycle, an online forum dedicated to exchanging used items rather than trashing them, confirmed a massive data breach that affected more than 7 million users.The nonprofit organization says it discovered the breach on Wednesday, weeks after a threat actor put the stolen data for sale on a hacking forum on May 30, warning affected people to switch passwords immediately.The stolen information includes usernames, User IDs, email addresses, and MD5-hashed passwords, with no other information exposed, according to Freecycle. >> Full Article <<
The threat actors behind the BlackCat/ALPHV ransomware group have claimed responsibility for the recent data breach of the Japanese watchmaker, Seiko, and posted the stolen data to their dark web leak site. Officials for Seiko confirmed the data breach on August 10th and revealed that their systems had been infiltrated several weeks prior, leading to an exfiltration of an unknown amount of sensitive data. It is believed the stolen data includes scans of employee passports, production information and confidential design drafts for watches, which falls under the umbrella of protected intellectual property (IP).Cyberattack forces Mississippi healthcare system offlineLate last week, officials for the Singing River Health System (SRHS) in Mississippi were forced to take several critical systems after identifying unauthorized activity on their network, stemming from an undefined cyberattack. While there are continued efforts to restore normal operations, staff are resigned to keeping paper r
September 1, 2023 By MARIA DEUTSCHER Cybersecurity provider Malwarebytes Inc. has laid off more than 100 workers amid a restructuring initiative that will see it split into two companies.TechCrunch first reported the move on Thursday, citing a former Malwarebytes employee. Marcin Kleczynski, the company’s Chief Executive Officer, confirmed the layoffs to the publication. He said that between 100 and 110 workers are affected. >> Full Article <<
