September 26, 2023

Welcome to TheCyberThrone cybersecurity week in review will be posted covering the important security happenings. This review is for the week ending Saturday, May 13, 2023.

1. Cactus Ransomware Dissection

A new ransomware group dubbed Cactus targeting vulnerabilities in VPN appliances. It has unique characteristics that encrypt itself to avoid detection by security software. The ransomware is believed to have first been deployed in March. The ransomware targets known vulnerabilities in Fortinet VPN appliances to gain access .

Cactus goes through the regular ransomware steps – spreading through a targeted network, stealing and encrypting files as it goes along, but its obfuscation technique is what makes it interesting compared to various forms of ransomware before it.

2. AndoryuBot Exploits RCE Bug to Conduct DDoS Attack

Researchers have identified a spike in attacks attempting to exploit the Ruckus Wireless Admin remote code execution by a botnet known to be AndoryuBot.

The vulnerability tracked as CVE-2023-25717. The bot supports multiple DDoS attack techniques and uses SOCKS5 proxies for C2 communications. The issue affects Ruckus Wireless Admin version 10.4 and earlier used by multiple Ruckus wireless Access Point devices. A remote, unauthenticated attacker can exploit the vulnerability to execute arbitrary code and take complete control of a vulnerable device.


3. Akira Ransomware Dissection

A new ransomware operation brought in to limelight by the researchers called Akira and targets businesses worldwide, breaching corporate networks, stealing, and encrypting data.

Threat actors have over dozens of organizations in their portfolio as victims from areas like finance, manufacturing, real estate, education, and consultancy. Among the recently claimed attacks includes the Bluefield, the Bridge Valley Community and Technical College, Mitchell Partnership Inc., Garcia Hamilton & Associates, and New World Travel, Inc.


We understand the importance of staying on top of the latest threats and vulnerabilities that can harm your digital life. You’ll receive the latest cybersecurity news, insights, resources, offers and analysis straight to your inbox every day

4. GitLab Patches Malicious Runner Vulnerability

GitLab, has recently issued a critical security advisory concerning a significant vulnerability tracked as CVE-2023-2478 and with a CVSS score of 9.6. This vulnerability poses a serious risk to the integrity and security of GitLab projects.

The security flaw, Malicious Runner Attachment via GraphQL affects all GitLab Community Edition (CE) and Enterprise Edition (EE) versions starting from 15.4 before 15.9.7, all versions starting from 15.10 before 15.10.6, and all versions starting from 15.11 before 15.11.2.

Under certain conditions, any GitLab user account on the instance may exploit a GraphQL endpoint to attach a malicious runner to any project within the instance. This vulnerability leaves projects exposed to unauthorized access and manipulation, posing a substantial risk to the security and confidentiality of project data.

5. Fleckpe Malware havocking Millions of Android Devices

Researchers identified a new malware family infecting apps that were available for download on the official Google Play store and have been installed on more than 620,000 Android devices.

The malware called as  Fleckpe, a subscription-based app that usually goes unnoticed until the victim discovers they’ve been charged for services they did not purchase. Active since 2022, the Fleckpe malware has been spread via Google Play in photo editing apps and smartphone wallpaper packs. All 11 apps infected apps were removed by the app store, but researchers suggested the malware could be more pervasive and still active.

6. Russian Snake Malware Hunt Alert

A security joint advisory revealed  about a sophisticated espionage tool dubbed as Snake malware used by Russian cyber actors against their targets. The advisory was published by the US FBI, the US NSA, the US CISA, US CNMF, the UK NCSC, the Canadian CCS, the Canadian CSE, the Australian ACSC, and the New Zealand NCSC.

The malware is spread across 50 countries across North America, South America, Europe, Africa, Asia, and Australia, Snake’s custom communications protocols employ encryption and fragmentation for confidentiality and are designed to hamper detection and collection efforts. Globally, the Russian Federal Security service has used Snake to collect sensitive intelligence from high-priority targets such as government networks, research facilities, and journalists.


7. Brightline hit by GoAnywhere MFT Exploit

Brightline, a health provider started notifying at least 783,638 patients and 60 of its connected vendors that their data was accessed and exfiltrated by threat actors during a hack of its Fortra GoAnywhere MFT in January.

Clop already claimed to have hacked Brightline as far back as March, when the actors added the company to its dark web site, claiming to have stolen the data tied to at least 63,000 children. Those details were not included in the notice. The breach was reported to the Department of Health and Human Services in nine separate filings. Blue Shield of California, which invested in Brightline, previously issued a similar notice.

8. NextGen Healthcare Suffers a Data Breach

NextGen Healthcare, a provider of electronic health record software and practice management systems, has suffered a data breach that resulted in the theft of about one million records.

NextGen said the breach occurred between March 29 and April 14 and discovered on April 24. It is described as involving unauthorized access to database stemming from the use of stolen client credentials that appear to have been stolen from other sources or incidents unrelated to NextGen. An attacker gained access to their systems using credentials stolen in another data breach, or in other words, one of their employees or clients was using login details on another site that they were also using on NextGen’s systems.

This brings end of this week in review security coverage. Thanks for visiting TheCyberThrone. If you like us please follow us on FacebookTwitterInstagram

Leave a Reply

%d bloggers like this: