TheCyberThrone Security Week In Review – December 10th 2022

Welcome to TheCyberThrone cybersecurity week in review will be posted covering the important security happenings . This review is for the week ending Saturday, December 10th, 2022.

The week on Sunday 04th Dec 2022, started with a coverage about an alert on Cuba ransomware. The US government has issued an alert about the Cuba ransomware gang that gains profits. The threat actors have hit more than 100 organizations worldwide, demanding over $145 million in payments and successfully extorting at least $60 million since August.

Mozilla and Microsoft have removed root certificate authority (RCA) TrustCor from their respective Firefox and Edge browsers, under a suspicion over its reported ties to spyware firms and intel agencies Kaspersky researchers have discovered a data wiper, dubbed as CryWiper, that was employed in destructive attacks against the Russian government entities.

Here at TheCyberThrone, we covered the special writeup about the first anniversary of Log4j is about to come later in this week, this is a good time to revisit the importance of analyzing supply chain security, as well as third party vendor management. Log4j impacted almost everyone in the IT industry.

Researchers from Yuga labs have disclosed a critical issue in Hyundai and Genesis vehicles that could be exploited to remotely control a car. Researchers uncovered the dolphin backdoor used by the ScarCruft APT group, which is linked to North Korea. The group referred to as APT37, InkySquid, Reaper, and Ricochet Chollima is known to attack government entities, diplomats, and news organizations in South Korea and certain other Asian countries.

Google has released December 2022 Android updates with patches for over 75 vulnerabilities, including multiple critical RCE flaws. A threat actor goes by the name of Team Mysterious Bangladesh, claimed to have compromised the Indian Central Board of Higher Education (CBHE) systems. The threat actors would have stolen PII, including names, Aadhaar numbers, Indian Financial System Codes (IFSC codes), and other details of numerous individuals.

Threat actors from a well-known Winnti APT group linked to the Chinese government are alleged to have stolen more than $20 million in COVID relief benefits, including U.S. Small Business Administration loans and unemployment funds in more than a dozen states. Sophos has released patches to address vulnerabilities in Sophos Firewall version 19.5, including arbitrary code execution bugs.

AlgoSec is set to acquire Prevasio, a SaaS cloud-native application protection platform (CNAPP) that includes an agentless cloud security posture management platform, anti-malware scan, vulnerability assessment and dynamic analysis for containers. Beyond Identity offers integration with Zscaler to strengthen zero-trust architecture and reduce attack surfaces.

An outage that has affected Hosted Exchange customers of Rackspace Technologies during Thanksgiving holiday has been confirmed to be the result of a ransomware attack.

Fortinet has released patches for multiple vulnerabilities across its products, including a high-severity authentication bypass impacting FortiOS and FortiProxy. Researchers have found a security flaw in NetGear firmware that allows unrestricted communication with the internet facing ports of the device listening through IPv6.The vulnerability affects Netgear model RAX30, also known as the Nighthawk AX5 5-Stream AX2400 WiFi 6 Router.

An Iranian APT group known as Agrius has conducted supply chain-focused attacks against the diamond industry in three continents. Israel, South Africa and in Hong Kong. Security researchers have developed a generic SQL injection technique that bypasses multiple web application firewalls (WAFs). Allowing potential attackers to easily hide their malicious payloads.  Since the vendors are failing to add support for JSON inside SQL statements,

Cisco has disclosed a high-severity vulnerability impacting its IP Phone 7800 and 8800 Series. Tracked as CVE-2022-20968, an unauthenticated attacker can trigger the flaw to cause a stack overflow on an affected device, leading to remote code execution and denial of service attacks. Threat actors from a state-backed Iranian Cobalt Mirage are using a new custom malware dubbed Drokbk to attack a variety of US organizations, using GitHub as a dead-drop resolver. Apple has introduced new security features  to protect  user data in the cloud, including end-to-end encryption for backups for iCloud users.

Kubernetes developers  has released new features for the software container management platform that will make it easier to secure and maintain and are available in Kubernetes 1.26 Researchers have discovered an obfuscation platform named Zombinder on darknet that attaches malware to legitimate Android applications to lure users to install the malicious payload and make it difficult for security tools to detect.

This brings end of this week in review security coverage. Thanks for visiting TheCyberThrone. If you like us please follow us on Facebook, Twitter