Welcome to TheCyberThrone cybersecurity week in review will be posted covering the important security happenings. This review is for the week ending Saturday, July 1, 2023.
A third-party vendor associated with American Airlines and Southwest Airlines experienced a data breach. Pilot Credentials, which manages the pilot and cadet hiring and recruitment portal for several airlines, had a cybersecurity incident involving some data files. The incident did not impact any American Airlines customer data, and American’s internal systems, including customer and team member data, remain secure.
Southwest also confirmed that none of its networks or systems were affected. It notified former applicants whose personal information was involved in the breach and is providing them with complimentary credit monitoring services.
Researchers have uncovered a vulnerability that could allow attackers to deliver malware directly into employees’ Microsoft Teams inbox.
Many organizations have security controls that allow external tenants to message their employees. Members of other organizations, service providers can reach internal users. These external users by default can’t sent files to employees of another organization, but the client-side security controls that disallow this can be bypassed.
Exploitation of the vulnerability can be performed by using a traditional IDOR technique of switching the internal and external recipient ID on the POST request. This allows the external attacker to send a malicious payload that will appear in the target’s inbox as a file for download.
Researchers has spotted a massive spike in ransomware activity in May and June 2023 and attributed to a new ransomware group called 8Base. Active since March 2022. The group describes itself as “simple pen testers”. Their leak site provides victim details through Frequently Asked Questions and Rules sections as well as multiple ways to contact the group.
8Base Ransom Group is not necessarily a new group, their spike in activity recently has not gone unnoticed. It’s a one of the top 2 performing ransom groups. No many details available currently other than the ransom note and that it appends encrypted files with the extension ‘.8base’.”
SUBSCRIBE TO OUR BLOG TODAY !
We understand the importance of staying on top of the latest threats and vulnerabilities that can harm your digital life. You’ll receive the latest cybersecurity news, insights, resources, offers and analysis straight to your inbox every day
Researchers discovered Chinese state-backed APT Volt Typhoon has been spotted using a critical vulnerability in Zoho’s ManageEngine ADSelfService Plus, a single sign-on and password management solution.
Volt Typhoon came in to limelight recently and the reports detailed a number of Volt Typhoon’s TTPs, including its use of internet-exposed Fortinet FortiGuard devices for initial intrusion, and the hiding of network activity via compromised routers, firewalls, and VPN hardware.
The recent campaign outlined by researchers suggests that Volt Typhoon is flexible, the group utilized CVE-2021-40539 in ManageEngine for intrusion, then masked its Web shell as a legitimate process and erased logs as it went along.
Researchers have uncovered a new ransomware actor called NoEscape Ransomware-as-a-Service.
Active since May 2023, it actively sought affiliates to join it. The most peculiar standout about this Raas is it claim of being a C++-based ransomware developed entirely in-house, without relying on third-party resources or source codes. This enables the operators and affiliates to unprecedented control over their malicious activities.
The ransomware used in the NoEscape RaaS employs a combination of ChaCha20 and RSA encryption algorithms. This hybrid approach, often utilized by sophisticated ransomware groups, ensures the encryption of files and the protection of encryption keys.