October 3, 2023

CVE-2023-38408: OpenSSH RCE Vulnerability

Researchers from Qualys Security has discovered  a remote code execution vulnerability in OpenSSH’s forwarded ssh-agent tracked as CVE-2023-38408.OpenSSH is an open-source implementation of the SSH protocol, offers a robust suite of services aimed at facilitating encrypted communications over an unsecured network in a client-server architecture.

A key actor in this context is the ssh-agent. This is a helper program that simplifies the user authentication process by maintaining records of users’ identity keys and passphrases. Once the keys are stored in ssh-agent, it allows users to log into other servers without needing to enter their password or passphrase again, thereby creating a seamless SSO experience. However, recent events have proven that even this well-intentioned system can harbor a potentially devastating vulnerability.

CVE-2023-36884 – Microsoft Zeroday Exploited in Wild

Microsoft warns that threat actors are actively exploiting an unpatched zero-day present in several Windows and Office products. The bug enables malicious actors to gain remote code execution via malicious Office documents.

The campaign was seen in Europe and North America, with vulnerability observed in attacks targeting organizations that attended the NATO Summit in Vilnius.Threat actors impersonated the Ukrainian World Congress organization to trick the victims into accessing malicious documents.

The phishing campaign attempting to spread the malicious files is conducted by a threat actor tracked as Storm-0978, also known as RomCom. Storm-0978 or RomCom is a Russian-based threat group and is known as sophisticated attacks.


Deloitte Refutes Data Breach Cl0P claims Responsible

The Cl0p Ransomware has struck again, this time claiming to have targeted Deloitte. The ransomware gang, known for its high-profile attacks, claimed responsibility for breaching Deloitte’s infrastructure in a recent post on its dark web data breach blog. While Deloitte’s response refutes the claims, the incident highlights the ongoing risk posed by the MOVEit vulnerability.

Deloitte’s denial of the breach comes with a strong statement from the company’s global spokesperson. Deloitte stated that they found no evidence of any breach of client data during their analysis.The company took immediate action upon discovering the zero-day vulnerability, applying security updates and mitigating actions as per the vendor’s guidance. Deloitte claimed that their global network’s use of the vulnerable MOVEit Transfer software is limited, and their analysis revealed no impact on client data.

We understand the importance of staying on top of the latest threats and vulnerabilities that can harm your digital life. You’ll receive the latest cybersecurity news, insights, resources, offers and analysis straight to your inbox every day

Gamaredon back with latest TTP

Ukraine’s CERT-UA is warning that the Russia-linked APT group Gamaredon used to steal data from victims’ networks in less than an hour after the initial compromise.The Gamaredon APT group active since 2014, continues to carry out attacks against entities in Ukraine, including security services, military, and government organizations.

Since the Russian invasion of Ukraine, the cyber espionage group has carried out multiple campaigns against Ukrainian targets. CERT-UA has monitored Gamaredon operations and was able to gather intelligence on the APT’s TTP’s.

They use spear-phishing emails and messages as an initial attack vector. The cyberspies often use accounts that have been previously compromised and trick victims into opening malicious attachments disguised as office documents.Once the document is opened by the victim, it will take between 30 and 50 minutes to steal data from the infected system


BlackCat Ransomware Abuses ads to Spread Malware

Researchers have spotted BlackCat ransomware gang is using Google and Bing search ads promoting a well-known file-transfer app as a lure to drop malicious payloads and infect with malware.The research report states the TTPs deployed during the attack including legitimate and illegitimate tools, scripts, and commands leading to a BlackCat infection.

The malvertising campaign directs anyone who clicks on the malicious ads to a spoofed download page for WinSCP, a popular open-source Windows application used to copy files between a local computer and remote servers using a range of transfer protocols.

The threat actor gained and abused top-level administrator privileges, attempted to establish persistence, and planted backdoor access to the network using remote management tools including AnyDesk. Once after that the adversaries attempted to steal passwords and access backup servers.

Leave a Reply

%d bloggers like this: