Microsoft fixes nearly 100 bugs, including a zero-day exploited in ransomware attacks
Microsoft released its April 2023 Patch Tuesday security updates to address nearly 100 vulnerabilities, includes a fix for a zero-day vulnerability listed as under active attack. The flaw in question, tracked as CVE-2023-28252, is a buffer overflow issue in the Windows Common Log File System Driver, which allows a local user to execute arbitrary code on the system with the highest privileges. This vulnerability is said to have been exploited by threat actors to deploy Nokoyawa ransomware payloads.
Apple addresses two iOS zero-days exploited in the wild
Apple issued security updates to patch a pair of zero-day vulnerabilities said to have been exploited in attacks against iOS and macOS devices.
The first zero-day flaw (CVE-2023-28206) is described as an out-of-bounds write issue within the IOSurfaceAccelerator component. The vulnerability can be exploited by a local application to execute arbitrary code with kernel privileges. The second flaw (CVE-2023-28205) is a use-after-free issue in WebKit. It allows a remote hacker execute arbitrary code on the system by tricking the victim into visiting a specially crafted website.
Israeli spyware firm QuaDream hacks into iPhones via iOS zero-click exploit
An Israel-based company's spyware has been used against journalists, opposition figures and advocacy organizations across at least 10 countries, including people in North America and Europe. Citizen Lab says that the hacks were likely carried out with the help of an iOS zero-click exploit they dubbed “ENDOFDAYS” used to deploy the spyware. The suspected exploit appears to abuse invisible iCloud calendar invitations sent from the spyware’s operator to victims.
Microsoft is tracking this threat actor as DEV-0196, describing it as a private sector offensive actor (PSOA). QuaDream reportedly sells a platform they call REIGN to governments for law enforcement purposes. REIGN is a suite of exploits, malware, and infrastructure designed to exfiltrate data from mobile devices. The team believes that the ENDOFDAYS exploit (which they call KingsPawn) is part of the REIGN platform.
Pro-Ukrainian hacktivists leak personal data of APT28’s alleged leader
Ukrainian hacktivist group Kiber Sprotyv (Cyber Resistance) and the volunteer intelligence community InformNapalm released a data dump containing personal information and correspondence of Lieutenant Colonel Sergey Alexandrovich Morgachev, an officer of the Russian Main Intelligence Directorate of the General Staff of the Russian Army (GRU) and suspected leader of the Russian state-sponsored cyber-espionage group APT28 (the GRU Unit 26165).
The Kiber Sprotyv team was able to hack into an email account belonging to Morgachev and obtain sensitive data, including scans of personal documents shedding light on his personal life and his current place of residence and service, as well as people associated with him.
Russian hackers hijack CCTV cameras in Ukrainian coffee shops for intel on Western aid
Russian hackers are targeting CCTV cameras installed in coffee shops in Ukraine to gather intelligence on Western aid convoys moving on Ukrainian roads. According to Rob Joyce, director of cybersecurity at the National Security Agency, this cyber-espionage effort was part of Russia’s ongoing offensive.
He further added that Russian government and state-backed hackers are targeting US defense manufacturers and logistical transport companies to obtain information on the weapons supply chain to Ukraine.
Kremlin-backed hackers linked to widespread cyberattacks on NATO, EU countries
Poland’s top cybersecurity agency has linked APT29 (Cozy Bear, Nobellium) state-sponsored hackers, part of the Russian government's Foreign Intelligence Service (SVR), to widespread attacks targeting NATO and European Union countries.
The cyber-espionage campaign was aimed at collecting information from foreign ministries and diplomatic entities and involved phishing emails impersonating the embassies of European countries. The emails contained a malicious PDF file or a link leading to a compromised website that contained the hackers’ signature script EnvyScout, which allowed them to drop malicious files on a targeted computer.
Pakistan-linked hackers target India’s education sector with Crimson RAT
SentinelLabs released a report detailing the latest cyber-espionage campaign by a Pakistan-aligned state-sponsored hacker group tracked as APT36 or Transparent Tribe targeting India’s education sector with Crimson remote access trojan (RAT).
The threat actor gained access to victims' devices via phishing emails with education-themed malicious attachments that were created in July and August 2022. Once opened, the attackers used either Microsoft Office macros or Object Linking and Embedding (OLE) to install the Crimson malware onto the computer.
Iranian Mercury APT disguises destructive campaigns as ransomware attacks
The Iranian state-backed group known as Mercury has been observed carrying out destructive attacks on hybrid environments masquerading as a ransomware operation.
Mercury, which was linked by the US cyber authorities to Iran’s Ministry of Intelligence and Security (MOIS), has been working in tandem with another threat actor that Microsoft tracks as DEV-1084, who carried out the destructive actions after Mercury’s successful operations had gained access to the target environment.
To gain initial access to a target network the group takes advantage of known bugs in unpatched software products such as Log4j (Log4Shell).
Once inside the network, the attackers deploy several tools and leverage techniques to maintain persistence, including installing web shells, adding a local user account and elevating privileges to local administrator, installing legitimate remote access tools, such as RPort, Ligolo and eHorus, installing a customized PowerShell script backdoor, and stealing credentials.
Ares Leaks emerges as a new alternative to now-defunct BreachForums
A cybercrime threat group called Ares has been increasingly gaining popularity after the notorious BreachForums hacking forum went out of business following the arrest of its administrator last month.
The group emerged on the Telegram messaging app in late 2021 and has been linked to the RansomHouse ransomware, the KelvinSecurity data leak platform, as well as the Adrastea network access group. Ares has been gaining notoriety in recent months for selling and leaking databases stolen from corporations and public authorities.
Ares Leaks offers access to data leaks from 65 countries, including the United States, India, Philippines, Mexico, Australia, Ukraine, Thailand, France, Spain, and Italy. In addition to data leaks, the group also offers botnet and DDoS services.
Five suspects arrested in connection with €89M investment fraud scheme
An international law enforcement operation dismantled a massive online investment fraud ring that duped thousands of victims, causing an estimated €89 million loss.
The criminals behind the scheme lured victims via fraudulent websites and social media, using call centers in various European countries, including Bulgaria and Romania.
The scammers encouraged their victims to make small initial investments of between €200 and €250, promising high profits. The fraud scheme allegedly ran between 2019 and 2021, Europol says.
The coordinated action took place across two action days in March and involved the search of 15 locations across Bulgaria, Romania, and Israel. During the actions, five suspects were arrested, and a range of high-value assets seized, including luxury watches, electronic equipment, cash, bitcoins, bank cards and numerous documents and data carriers.
A new Python-based credential harvester Legion is being sold on Telegram
Researchers at Cado Security spotted a new Python-based credential harvester and SMTP hijacking tool called “Legion” that targets online email services for phishing and spam attacks.
The tool is sold via the Telegram messenger and includes modules to enumerate vulnerable SMTP servers, conduct remote code execution (RCE) attacks, exploit unpatched versions of Apache, and brute-force cPanel and WebHost Manager (WHM) accounts. The researchers say that Legion appears to be related to AndroxGh0st, a similar malware family first discovered in December 2022.
Ransomware group leaks 528GB of data allegedly stolen from MSI
Security researcher Dominic Alvieri tweeted that the Money Message ransomware group leaked nearly 528GB of data allegedly stolen from Taiwanese hardware manufacturer Micro-Star International (MSI) earlier this month. The leak consists of three databases, two of them dating back to 2022 – January 19 and September 17, and the third is from January 23, 2023.
Earlier, the hardware manufacturer confirmed the cyberattack and said it impacted some of its information systems. The company urged users to obtain firmware/BIOS updates only from its official website, and not from other sources.
South Korean crypto exchange GDAC lost $14M worth of crypto assets in a hack
South Korean cryptocurrency exchange GDAC was hit with a cyberattack over the weekend, which resulted in the theft of nearly $14 million in various cryptocurrencies - approximately 23% of GDAC’s total assets, including Bitcoin, Ethereum, USDT and WEMIX tokens.
The attackers exploited GDAC’s hot wallet and transferred over 60 BTC, 350.5 ETH, 10,000,000 WEMIX, and 220,000 USDT to an unidentified wallet.
OpenAI offers up to $20,000 for ChatGPT bugs
ChatGPT developer OpenAI launched a bug bounty program offering up to $20,000 to users reporting security vulnerabilities in its artificial intelligence products. Security issues eligible for cash rewards include those in OpenAI APIs, public cloud resources or infrastructure involved in serving the OpenAI API, ChatGPT, including ChatGPT Plus, logins, subscriptions, OpenAI-created plugins and all other functionality, as well as third party corporate targets, and OpenAI API keys. The program will not cover jailbreaks or text prompts that violate ChatGPT’s rules.
Microsoft shares guidance on how to detect BlackLotus UEFI bootkit infections
Microsoft released guidance to help organizations identify whether their environments have been targeted by malicious actors exploiting a Windows secure boot bypass vulnerability (CVE-2022-21894) via BlackLotus UEFI bootkit.
First spotted in late 2022, BlackLotus comes with a slew of features, including anti-virtualization, anti-debugging, and code obfuscation, and can disable security applications and defense mechanisms on target machines, including Hypervisor-protected Code Integrity (HVCI), BitLocker, and Windows Defender. The Windows bootkit can also bypass User Access Control (UAC) and secure boot mechanisms, load unsigned drivers, and can operate within an environment undetected for a long time.