TheCyberThrone Security Week In Review – August 26, 2023
Share this:
Welcome to TheCyberThrone cybersecurity week in review will be posted covering the important security happenings. This review is for the week ending Saturday, August 26, 2023.
PlayCrypt Ransomware attacks MSP’s
Researchers have spotted a threat actor used PlayCrypt to leverage Remote Monitoring and Management (RMM) software used by service providers to gain direct access to a customer’s environment, bypassing most of its defenses.
The PlayCrypt ransomware group initially spotted in June last year and believed to be affiliated with the Balloonfly malware group, can utilize the remote access capability to wreak havoc on mid-market firms. It employs double-extortion tactics, stealing victim data before encrypting their networks.
PlayCrypt expanded its toolkit with new tools and exploits like ProxyNotShell, OWASSRF, and a Microsoft Exchange Server Remote Code Execution. They usually use RDP as a vector for network infiltration, they can also use FortiOS vulnerabilities (CVE-2018-13379 and CVE-2020-12812), and other compromised software in the supply chain.
WinRaR Zeroday CVE-2023-38831 Exploited
Threat actors are targeting users in online cryptocurrency trading forums via a now-patched bug in the popular WinRAR file compression and archiving utility. The vulnerability tracked as CVE-2023-38831 allowed the attackers to hide malicious code in zip archives masquerading as “.jpg,” “.txt,” and other file formats, and then distribute them in online cryptocurrency trading forums.
Researchers discovered the zero-day vulnerability in WinRAR while they investigated the threat activity related to DarkMe RAT and attributed to Evilnum. The malware packs a variety of functions for spying on targets or for use as a loader for other malware.
The vulnerability stemmed from how WinRAR processes the zip file format. It essentially gave attackers a way to conceal various types of malware tools in zip archives and distribute them to target systems. Group-IB researchers observed the threat actor deliver at least three malware families this way: DarkMe, GuLoader, and Remcos RAT.
CarderBee APT Group into limelight
Researchers have discovered an unknown APT group attacking organizations in Asia, particularly Hong Kong, using commercial software to deploy backdoor malware.
The group dubbed as CarderBee uses Cobra DocGuard Client, a software package designed to allow users to access and manage their Consolidated Omnibus Budget Reconciliation Act documents to gain access to victim’s machines.The Cobra DocGuard Client is said to have been designed by Chinese company EsafeNet. That’s where the story gets interesting. CarderBee uses PlugX, a malware family used by Chinese state-backed threat groups.
SUBSCRIBE TO OUR BLOG TODAY !
We understand the importance of staying on top of the latest threats and vulnerabilities that can harm your digital life. You’ll receive the latest cybersecurity news, insights, resources, offers and analysis straight to your inbox every day
Cuba Ransomware enhances its Attack Tactics
Researchers have spotted the Cuba ransomware gang attacking the critical infrastructure organizations in the US and Latin America, utilizing a mix of both new and old tools.The BlackBerry’s Threat Research and Intelligence team detected the latest campaign in early June 2023.
The Cuba ransomware gang is now exploiting CVE-2023-27532 to steal credentials from configuration files. This specific vulnerability affects Veeam Backup & Replication (VBR) products, and an exploit has been available since March 2023. Prior to this, FIN7, a group with multiple known connections to various ransomware operations, was actively exploiting CVE-2023-27532.
DuoLingo Scrapped User Data is for sale
Threat actors have exposed 2.6 million DuoLingo users` data on the dark web. The sale was posted on August 22nd for a cost of only $2.13. The scraped DuoLingo data was previously for sale on another dark forum, in January 2023, at a cost of $1,500.The DuoLingo data was scraped due to an exposed API. Starting at least March 2023, researchers publicly shared how to use the API that enables anyone to submit a username and retrieve JSON output with the user’s public profile details.
The API enabled the scraper to use millions of email addresses previously exposed in other data breaches to create a dataset that matched public and non-public information regarding the email addresses owners.
This brings end of this week in review security coverage. Thanks for visiting TheCyberThrone. If you like us please follow us on Facebook, Twitter, Instagram
