TheCyberThrone Security Week In Review – February 11th, 2023

Welcome to TheCyberThrone cybersecurity week in review will be posted covering the important security happenings . This review is for the week ending Saturday, February 11th, 2023.

This week started with a coverage about the US CISA adds Oracle and SugarCRM flaws, respectively tracked as CVE-2022-21587 and CVE-2023-22952, to its Known Exploited Vulnerabilities Catalog and later in the week it added Intel, Terramaster, GoAnywhere MFT flaws, respectively tracked as CVE-2015-2291, CVE-2022-24990 and CVE-2023-0669 to its Known Exploited Vulnerabilities Catalog.

Atlassian fixes a critical bug tracked as CVE-2023-22501 with a CVSS score: 9.4 and has been described as a case of broken authentication that could be abused by an attacker to pass off as another user and gain unauthorized access to susceptible instances

Malvertising campaigns are dropping .NET info-stealing malware dubbed MalVirt. These are highly obfuscated and distributed as virtualized .NET loaders. It uses signatures and countersignatures from Microsoft, Acer, Digicert, Sectigo, and several other companies to avoid detection

A high-severity vulnerability in F5 BIG-IP tracked as CVE-2023-22374, can be exploited to cause a DoS condition and potentially lead to arbitrary code execution.

Tallahassee Memorial HealthCare continues to struggle through operations in the wake of an IT security issue – ransomware attack. While the Iranian threat actor called Neptunium by Microsoft has been involved in the recent hacking operation targeting the satirical French magazine, Charlie Hebdo.

OpenSSH 9.2 version has been released to address several security bugs, including a memory safety vulnerability in the OpenSSH server (sshd) tracked as CVE-2023-25136, the shortcoming has been classified as a pre-authentication double-free vulnerability that was introduced in version 9.1.

Researchers have discovered a new Linux variant of Cl0p (aka Clop), which was used in late December 2022 in an attack against a university in Colombia. In another attack, the Clop ransomware group claims that it has stolen sensitive data from over 130 organizations by exploiting Fortra’s GoAnywhere MFT secure file transfer tool tracked as CVE-2023-0669.

The new risk-based authentication approaches from Cisco Duo announced aim to address the inconvenience of MFA by providing a login process tailored to each individual user. It has a the ability to adjust authentication requirements for users in real-time based on contextual risk. The solution uses an machine learning -based risk analysis engine to dynamically assess risk based on user signals such as location, behavior, security posture of the device, the Wi-Fi network and the use of known attack patterns.

A new Android banking Trojan dubbed PixPirate has been spotted targeting financial institutions in Brazil since end of year 2022. It can perform ATS (automatic transfer system), enabling attackers to automate the insertion of a malicious money transfer over the Instant Payment platform Pix, adopted by multiple Brazilian banks,

The U.S. CISA has released a script to recover VMware ESXi servers infected with ESXiArgs ransomware. The victims of the recent wave of ESXiArgs ransomware attacks targeting CVE-2021-21974, can use the script to recover encrypted VMware ESXi servers.

ChatGPT’s massive reach ever since its launch last November, seems to have finally affected Google and it has announced its very own ChatGPT alternative and rival named Bard. While ARMO has announced that it has integrated ChatGPT’ s generative AI into ARMO Platform. ARMO also owned the opensource Kubernetes security platform Kubescape.

Toyota has been hacked again by Eaton Zveare a researcher said that he gained access to Toyota’s Global Supplier Preparation Information Management System in October. The system is a web app used by Toyota employees and their suppliers to coordinate projects, parts, surveys, purchases, and other tasks related to the global Toyota supply chain.

Researchers have discovered a Russian linked ATP group, tracked as Nodaria deploying new info-stealing malware, dubbed Graphiron, in attacks against Ukraine. Researchers have discovered a campaign involving malware dubbed TgToxic that targets cryptocurrency wallets, dubious money transfers, and credentials stealing from banking and financial apps of Android users in Taiwan, Thailand, and Indonesia.

A UK/US joint action have resulted in Seven Russian cybercriminals linked to a notorious ransomware group exposed and sanctioned into the crime group behind Trickbot malware, as well as the Conti and RYUK ransomware strains, among others, a NCA posting read. Reddit has said that its internal systems were breached on Feb. 5 as the result of an employee credential compromise. A sophisticated and highly-targeted phishing attack was able to trick a single employee into giving up their login information.

Weee! a U.S based online grocery delivery platform has disclosed a data breach affecting  nearly 1.1 million customers. A canadian book store chain, Indigo Books & Music, is a victim of a cyber attack, leading the company to temporarily shut down its website and only allow cash payments.

Researchers have spotted a threat actor known to be TA886, making use of a new custom-made malware, the Screenshotter, that perform surveillance before stealing data. Researchers have spotted a espionage campaign from a novel threat actor called NewsPenguin against Pakistan’s military-industrial complex for months, using an advanced malware tool.

Researchers have discovered the activities of  threat actors involving uploading several modifications “mods” containing malicious code into the catalog in the official Steam store that players of the popular Dota 2 online game use for downloading community-developed game additions and other custom items.

This brings end of this week in review security coverage. Thanks for visiting TheCyberThrone. If you like us please follow us on Facebook, Twitter, Instagram