📊 2023 OpenText Cybersecurity Threat Report
News, Announcements, Tech Discussions
Sep 12, 2023 A sophisticated phishing campaign is using a Microsoft Word document lure to distribute a trifecta of threats, namely Agent Tesla, OriginBotnet, and OriginBotnet, to gather a wide range of information from compromised Windows machines."A phishing email delivers the Word document as an attachment, presenting a deliberately blurred image and a counterfeit reCAPTCHA to lure the recipient into clicking on it," Fortinet FortiGuard Labs researcher Cara Lin said.Clicking on the image leads to the delivery of a loader from a remote server that, in turn, is designed to distribute OriginBotnet for keylogging and password recovery, RedLine Clipper for cryptocurrency theft, and Agent Tesla for harvesting sensitive information.The loader, written in .NET, employs a technique called binary padding by adding null bytes to increase the file's size to 400 MB in an attempt to evade detection by security software.The activation of the loader triggers a multi-stage process to establish persi
September 11, 2023 By Helga Labus A new phishing campaign taking advantage of an easily exploitable issue in Microsoft Teams to deliver malware has been flagged by researchers.Delivering malware to Microsoft Teams usersLate last month, Truesec researchers spotted two compromised Microsoft 365 accounts sending HR-themed messages with a malicious attachment to enterprise targets.The two messages were the same: they claimed that, due to unforeseen circumstances, there have been changes to the vacation schedule and the recipient may be affected by them. The phishing message. (Source: Truesec) >> Full Article <<
Custom PowerShell scripts are being deployed against geofenced targets in Australia, Belgium, and Poland to exfiltrate data. September 11, 2023 By Dark Reading Staff A sophisticated cyber campaign is using images of OnlyFans models and geofencing to target specific victims across Australia, Poland, and Belgium, using custom PowerShell scripts to steal data.According to a recent report from Zscaler ThreatLabz, the campaign, called "Steal-It," is likely the work of APT28, also known as Fancy Bear, researchers said.After establishing an initial foothold with customized PowerShell Nishang Start-CaptureServer scripts, the Steal-It cyberattack abuses the Mockbin API endpoint generating tool to exfiltrate data, including NTLM hashes and command output, the report explained. >> Full Article <<
MGM Resorts confirms “cybersecurity incident” led to the shutdown of web sites and IT systems of hotels throughout the United States. September 11, 2023 By Ryan Naraine Hospitality and entertainment giant MGM Resorts on Monday said a “cybersecurity issue” forced the shutdown of certain computer systems, including the websites for some of the biggest Las Vegas and New York properties.A brief note posted to X (the website formerly known as Twitter) said external cybersecurity experts and law enforcement are involved in an investigation that has all the hallmarks of a ransomware extortion attack. >> Full Article <<
September 11, 2023 By Bill Toulas A new attack dubbed 'WiKI-Eve' can intercept the cleartext transmissions of smartphones connected to modern WiFi routers and deduce individual numeric keystrokes at an accuracy rate of up to 90%, allowing numerical passwords to be stolen.WiKI-Eve exploits BFI (beamforming feedback information), a feature introduced in 2013 with WiFi 5 (802.11ac), which allows devices to send feedback about their position to routers so the latter can direct their signal more accurately.The problem with BFI is that the information exchange contains data in cleartext form, meaning that this data can be intercepted and readily used without requiring hardware hacking or cracking an encryption key. Overview of the WiKI-Eve attack (arxiv.org) >> Full Article <<
September 11, 2023 By Pierluigi Paganini Zscaler ThreatLabz detailed a new malware loader, named HijackLoader, which has grown in popularity over the past few monthsHijackLoader is a loader that is gaining popularity among the cybercriminal community. The malware is not sophisticated, however, unlike other loaders, it has a modular structure that allows supporting code injection and execution. The HijackLoader is being used to load different malware families such as Danabot, SystemBC and RedLine Stealer.The loader was first observed by the security firm July 2023, the researchers noticed that the threat employs a number of evasion techniques such as the use of syscalls. >> Full Article <<
Anonymous Sudan launches a DDoS attack against Telegram in retaliation for the suspension of their primary account on the platform. September 11, 2023 By Ionut Arghire The hacker group Anonymous Sudan has launched a distributed denial-of-service (DDoS) attack against Telegram in retaliation to the messaging platform’s decision to suspend their primary account, threat intelligence firm SOCRadar reports.Claiming to be a hacktivist group motivated by political and religious causes, Anonymous Sudan has orchestrated DDoS attacks against organizations in Australia, Denmark, France, Germany, India, Israel, Sweden, and the UK.The group has been active since the beginning of the year and established its Telegram channel on January 18, announcing intent to launch cyberattacks against any entity opposing Sudan. The group’s activity began with the targeting of several Swedish sites. >> Full Article <<
By Cara Lin | September 11, 2023 Affected platforms: WindowsImpacted parties: Any organizationImpact: Remote attackers steal credentials, sensitive information, and cryptocurrencySeverity level: Critical In August, FortiGuard Labs obtained a Word document containing a malicious URL designed to entice victims to download a malware loader. This loader employs a binary padding evasion strategy that adds null bytes to increase the file's size to 400 MB. The payloads of this loader include OriginBotnet for keylogging and password recovery, RedLine Clipper for cryptocurrency theft, and AgentTesla for harvesting sensitive information. Figure 1 illustrates the comprehensive attack flow.In this blog, we examine the various stages of how the file is deployed and delve into the specifics of the malware it delivers.Figure 1: Attack flow >> Full Article <<
September 8, 2023 By Bill Toulas Notepad++ version 8.5.7 has been released with fixes for multiple buffer overflow zero-days, with one marked as potentially leading to code execution by tricking users into opening specially crafted files.Notepad++ is a popular free source code editor that supports many programming languages, can be extended via plugins, and offers productivity-enhancing features such as multi-tabbed editing and syntax highlighting.GitHub's security researcher Jaroslav Lobačevski reported the vulnerabilities in Notepad++ version 8.5.2 to the developers over the last couple of months. Proof of concept exploits have also been published for these flaws in the researcher's public advisory, making it essential for users to update the program as soon as possible. >> Full Article <<
Legitimate-seeming Telegram "mods" available in the official Google Play store for the encrypted messaging app signal the rise of a new enterprise threat. September 8, 2023 By Tara Seals Dangerous spyware masquerading as a set of legitimate Telegram "mods" inside the official Google Play app store has been downloaded tens of thousands of times — and its existence poses serious ramifications for business users.Modified applications ("mods") for the popular messaging client are a well-known part of the Telegram ecosystem. Mods are apps that have all the standard functionality of an official client, but they're supercharged with extra features. In the case of Telegram, this kind of development is actively encouraged by the company and considered perfectly legitimate.Unfortunately, according to research from Kaspersky, unknown threat actors are trading on the official acceptance of Telegram mods' existence to create a new avenue for cyberespionage, which they fittingly dubbed "Evil Telegra
Emsisoft urges its users to update anti-malware and other security products after signing them with an improperly issued digital certificate. September 8, 2023 By Ionut Arghire Endpoint security firm Emsisoft is urging its users to update their anti-malware and other security products and reboot their systems after using an improperly issued digital certificate to sign them.The problem, the company says, affects its Extended Validation (EV) code signing certificate that was renewed on August 23 and used to sign all program files compiled after that date, including the latest software version, released on September 4.GlobalSign, the certificate authority (CA) that issued the certificate, informed Emsisoft on September 4 that it introduced the wrong business number at issuance, meaning that the certificate would need to be revoked and reissued. >> Full Article <<
September 8, 2023 By Bill Toulas Dymocks Booksellers is warning customers their personal information was exposed in a data breach after the company's database was shared on hacking forums.Dymocks is a bookstore chain operating 65 stores in Australia, New Zealand, and Hong Kong, and also an online shop that sells printed books, e-books, stationery supplies, games, and digital media.The company was informed that its customer data was stolen on September 6th, 2023, by Troy Hunt, the creator of the data breach notification service 'Have I Been Pwned' (HIBP), after a threat actor released it on a hacking forum. >> Full Article <<
Russia’s cyberattacks against civilian infrastructure in Ukraine may be the first case.ANDY GREENBERG, WIRED.COM - 9/8/2023 For years, some cybersecurity defenders and advocates have called for a kind of Geneva Convention for cyberwar, new international laws that would create clear consequences for anyone hacking civilian critical infrastructure, like power grids, banks, and hospitals. Now the lead prosecutor of the International Criminal Court at the Hague has made it clear that he intends to enforce those consequences—no new Geneva Convention required. Instead, he has explicitly stated for the first time that the Hague will investigate and prosecute any hacking crimes that violate existing international law, just as it does for war crimes committed in the physical world.In a little-noticed article released last month in the quarterly publication Foreign Policy Analytics, the International Criminal Court’s lead prosecutor, Karim Khan, spelled out that new commitment: His office will i
Cisco is warning of a zero-day vulnerability in Cisco ASA and FTD that can be exploited remotely, without authentication, in brute force attacks. September 8, 2023 By Ionut Arghire Cisco this week raised the alarm on a zero-day in Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software that has been exploited in Akira ransomware attacks since August.Tracked as CVE-2023-20269 (CVSS score of 5.0, medium severity), the issue exists in the remote access VPN feature of Cisco ASA and FTD and can be exploited remotely, without authentication, in brute force attacks. “This vulnerability is due to improper separation of authentication, authorization, and accounting (AAA) between the remote access VPN feature and the HTTPS management and site-to-site VPN features,” Cisco explains in an advisory. >> Full Article <<
Chrome now directly tracks users, generates a "topic" list it shares with advertisers.9/7/2023, 6:35 PM Don't let Chrome's big redesign distract you from the fact that Chrome's invasive new ad platform, ridiculously branded the "Privacy Sandbox," is also getting a widespread rollout in Chrome today. If you haven't been following this, this feature will track the web pages you visit and generate a list of advertising topics that it will share with web pages whenever they ask, and it's built directly into the Chrome browser. It's been in the news previously as "FLoC" and then the "Topics API," and despite widespread opposition from just about every non-advertiser in the world, Google owns Chrome and is one of the world's biggest advertising companies, so this is being railroaded into the production builds.Google seemingly knows this won't be popular. Unlike the glitzy front-page Google blog post that the redesign got, the big ad platform launch announcement is tucked away on the privacys
These common vulnerabilities and exposures (CVEs) were recently published or revised in the Microsoft Security Update Guide:CVE-2023-4761· Title: Chromium: CVE-2023-4761 Out of bounds memory access in FedCM· Version: 1.0· Reason for revision: Information published.· Originally released: September 7, 2023· Last updated: September 7, 2023· Aggregate CVE Severity Rating:CVE-2023-4762· Title: Chromium: CVE-2023-4762 Type Confusion in V8· Version: 1.0· Reason for revision: Information published.· Originally released: September 7, 2023· Last updated: September 7, 2023· Aggregate CVE Severity Rating:CVE-2023-4763· Title: Chromium: CVE-2023-4763 Use after free in Networks· Version: 1.0· Reason for revision: Information published.· Originally released: September 7, 2023· Last updated: September 7, 2023· Aggregate CVE Severity Rating:CVE-2023-4764· Title: Chromium: CVE-2023-4764 Incorrect security UI in BFCache· Version: 1.0· Reason for revision: Information published.· Originally released: Sept
