June 6, 2023

Welcome to TheCyberThrone cybersecurity week in review will be posted covering the important security happenings . This review is for the week ending Saturday, April 1st, 2023.

1. IceID Malware Shifting Focus to Ransomwares

Researchers have spotted three new variants of the IcedID malware are being used by multiple threat actors with their codes shifted away from launching banking trojans to more of a focus on ransomware. A new version with potentially a separate panel for managing the malware. While much of the code base is the same, the threat actors have removed banking functionality, such as web injects and back connect.

The first new variant of IcedID dubbed “IcedID Lite” distributed as a follow-on payload in a TA542 Emotet campaign. This was dropped by the Emotet malware soon after the actor recently returned to the cybercrime landscape after a nearly four-month break.

2. Microsoft Patches BingBang Cloud Vulnerability Exposing O365 Data

Researchers have discovered a misconfiguration in Azure Active Directory that exposed applications to unauthorized access, which could have led to a Bing.com takeover.

For multi-tenant applications, developers are responsible for checking a user’s original tenant and enforcing access policies to prevent unauthorized logins, but here in this case more than 25% of the multi-tenant apps accessible from the internet lack proper validation. The issue persists because it is not evident to developers that they are responsible for validating user identity, leading to configuration and validation error.


3. Dark Power Ransomware Dissection

Researchers have spotted a new ransomware gang named Dark Power – which has been actively hitting organisations in several countries lately. Starting on January 29, 2023, the Dark Power gang has over 10 victims listed on its dark net website already – waiting to leak their data!

The Dark Power ransomware uses Nim, a relatively new cross-platform programming language with several speed-related advantages – making it apt for ransomware operations and most of defense tools fails to detect it. The modus of operandi still needs to be published. Dark power attacks create a randomized 64-character long ASCII string for starting the encryption process, with a unique key on each execution.


We understand the importance of staying on top of the latest threats and vulnerabilities that can harm your digital life. You’ll receive the latest cybersecurity news, insights, resources, offers and analysis straight to your inbox every day

4. Microsoft Azure Super FabriXss Bug

Researchers have detailed the discovery of a previously unknown vulnerability in Microsoft Azure called Super FabriXss that allowed hackers to undertake remote code execution.

An unauthenticated Remote Code Execution could abuse the metrics tab and enable a specific option in the console, the ‘Cluster Type’ toggle. This XXS vulnerability affects Azure Service Fabric Explorer. The vulnerability enables unauth remote attackers to execute code on a container hosted on a Service Fabric node without the need of any authentication

5. Twitter Source Code Leak on Git

Twitter sent GitHub a copyright infringement notice claiming some of the platform users leaked parts of their source code.

GitHub promptly took down the code. The leaked code had been public for at least several months. Twitter urged GitHub to reveal the user behind the source code leak. Since the Twitter source code was publicly available for months, hackers will have an easy task when hunting for security vulnerabilities. If threat actors put their minds to it, they could extract user data or even take down the site.


6. Okta Credentials Exposed via Post Exploitation Attack

Researchers have discovered a post-exploitation attack method in Okta enables threat actors to read users’ passwords in Okta audit logs.

Researchers developed a post-exploitation technique that illustrates how passwords for Okta users could be exposed if they enter it into the username field. The risk of exposure comes from the way Okta records failed login attempts, which stores the username in Okta audit logs as plain text. If a user then enters their credentials successfully, both the username and password have been exposed for a potential attacker to exploit.

This brings end of this week in review security coverage. Thanks for visiting TheCyberThrone. If you like us please follow us on FacebookTwitterInstagram

Leave a Reply

%d bloggers like this: