July 16, 2023

PicassoLoader Malware Used in Ongoing Attacks on Ukraine and Poland

Description

Ukraine and Poland have experienced a series of cyberattacks targeting government entities, military organizations, and civilians. These campaigns, spanning from April 2022 to July 2023, involve sophisticated tactics such as phishing emails and decoy documents. The attackers utilize malware like PicassoLoader, Cobalt Strike Beacon, and njRAT to gain persistent remote access and steal sensitive data. GhostWriter, a threat actor with alleged ties to the Belarusian government, is among the groups involved. Additionally, Russia’s APT28 and APT29 have targeted Ukraine, employing phishing techniques and repurposing legitimate materials for their malicious activities. These ongoing attacks highlight the need for strong cybersecurity measures and heightened vigilance to protect against evolving cyber threats.

The cyberattacks in Ukraine and Poland have employed multi-stage infection chains and advanced techniques. Phishing emails containing malicious Microsoft Office documents are used to initiate the attacks, with victims being tricked into enabling macros. This triggers the deployment of PicassoLoader, a downloader malware that retrieves additional payloads from attacker-controlled servers. GhostWriter, APT28, and APT29 are among the threat actors involved, targeting various organizations and individuals. The attacks highlight the persistent risks faced by these countries and the importance of robust cybersecurity practices, including user awareness, to safeguard sensitive data and systems.

Infected Technology

Microsoft Office with ‘Malware, Phishing, Command-and-Control, Image Files, Email, Instant Messengers, Office Suite’

Source

https://thehackernews.com/2023/07/picassoloader-malware-used-in-ongoing.html?m=1

Recommendation

• Implement robust email security solutions that can identify and block malicious emails, phishing attempts, and suspicious attachments. • Ensure that all software, including operating systems and applications, is promptly patched, and updated to address known vulnerabilities.

Critical Vulnerability Discovered in Popular Messaging App: Urgent Patch Required to Safeguard User Data

Description

A significant security flaw has been uncovered in a highly popular messaging app, raising serious concerns about the privacy and security of its users. The discovery of this critical vulnerability has brought attention to the urgent need for users to update their software promptly and take necessary precautions to protect their sensitive information from potential cyber threats. According to the security researchers who identified the flaw, the vulnerability exposes users to potential attacks that could compromise their personal data, including chat logs, media files, and even their login credentials. Such unauthorized access to private conversations and personal information can have severe consequences, ranging from identity theft to blackmail or espionage. The alarming nature of this discovery serves as a stark reminder to users of the importance of keeping their software up to date. Security patches and updates are often released by app developers to address vulnerabilities and strengthen the overall security of their platforms. Neglecting to apply these updates can leave users susceptible to exploitation by cybercriminals who actively seek out and exploit security flaws in widely-used applications.

Infected Technology

Github

Source

https://thehackernews.com/2023/07/blog-post.html

Recommendation

● Users of the affected messaging app should immediately check for updates and install the latest version provided by the app developer. It is crucial to ensure that the software is regularly updated to protect against known vulnerabilities and potential exploits. Additionally, users are advised to exercise caution when sharing sensitive information or clicking on suspicious links within the app until the update is applied.

Microsoft Bug Allowed Hackers to Breach Over Two Dozen Organizations via Forged Azure AD Tokens

Description

Microsoft disclosed that a validation error in its source code allowed a malicious actor, known as Storm-0558, to forge Azure Active Directory (Azure AD) tokens using a Microsoft account (MSA) consumer signing key. This breach impacted approximately 25 organizations, including government entities, compromising email access and exfiltrating mailbox data. The origin of how Storm-0558 obtained the key is under investigation. The token validation issue has been addressed. Storm-0558 is suspected to be a China-based threat actor engaged in espionage activities. The hacking crew primarily targets U.S. and European governing bodies, Taiwan and Uyghur interests, media companies, think tanks, and telecommunications providers. Microsoft has taken steps to mitigate the issue and notified affected customers. However, concerns have been raised about Microsoft’s handling of the incident and access to forensic capabilities. The breach highlights China’s cyber espionage capabilities and its ability to penetrate various IT systems.

Infected Technology

Microsoft

Source

https://thehackernews.com/2023/07/microsoft-bug-allowed-hackers-to-breach.html

Recommendation

• Implement multi-factor authentication and update security practices. • Improve monitoring to detect suspicious activities. • Train employees on phishing and security best practices. • Collaborate with government entities for threat intelligence. • Provide customers with forensic capabilities and audit logs.

Critical Security Flaws Uncovered in Honeywell Experion DCS and QuickBlox Services

Description

Honeywell Experion DCS: Nine vulnerabilities, collectively known as Crit.IX, were found in the Honeywell Experion distributed control system. These flaws could allow unauthorized remote code execution, enabling attackers to take control of devices and manipulate DCS controllers. Insufficient encryption and authentication mechanisms in the Control Data Access (CDA) protocol contribute to the vulnerabilities. QuickBlox: Check Point and Claroty discovered critical flaws in QuickBlox, a chat and video calling platform widely used in telemedicine, finance, and IoT devices. Exploiting these vulnerabilities could lead to user database leaks and facilitate full account takeover attacks. Aerohive/Extreme Networks Access Points: Remote code execution vulnerabilities were found in these access points running HiveOS/Extreme IQ Engine versions prior to 10.6r2. Successful exploitation could result in arbitrary command execution. Ghostscript Library: Ghostscript, a widely used package, was found to have a remote code execution vulnerability. This library, which can be triggered through various applications like image editors or printers, poses risks beyond a single application. Golang-based Platforms: Two Golang-based open-source platforms, Owncast and EaseProbe, were discovered to have security weaknesses. Owncast is susceptible to Server-Side Request Forgery (SSRF) attacks (CVE-2023-3188), while EaseProbe is vulnerable to SQL injection attacks (CVE-2023-33967). Technicolor TG670 DSL Gateway Routers: Hard-coded credentials were identified in these routers, enabling authenticated users to gain full administrative control. Remote administration should be disabled to mitigate potential exploitation.

Infected Technology

Honeywell Experion DCS, QuickBlox, Aerohive/Extreme Networks Access Points, Ghostscript Library, Golang-based Platforms, Technicolor TG670 DSL Gateway Routers

Source

https://thehackernews.com/2023/07/critical-security-flaws-uncovered-in.html

Recommendation

• Disabling remote administration and contacting service providers to determine the availability of patches and updates to address these vulnerabilities.

AIOS WordPress Plugin Faces Backlash for Storing User Passwords in Plaintext

Description

The popular WordPress plugin, All-In-One Security (AIOS), released a security update due to a bug in version 5.1.9. The bug caused users’ passwords to be stored in plaintext in the database, potentially accessible to malicious site administrators. The issue was reported by a user three weeks ago, expressing surprise that a security plugin would make such a basic error. AIOS confirmed that the update removes the stored passwords and mentioned that exploiting the vulnerability requires the attacker to have already compromised the site or gained unauthorized access. However, as a precaution, users are advised to enable two-factor authentication and change their passwords, especially if they use the same credentials on other sites.

Infected Technology

• WPEverest’s user registration plugin

Source

https://thehackernews.com/2023/07/aios-wordpress-plugin-faces-backlash.html

Recommendation

• Change Passwords and Use Unique Credentials • Regularly Backup and Secure Your Website • Update AIOS and Enable Two-Factor Authentication

CVE ID

CVE-2023-3342

Critical Vulnerability Detected In The REST API of Cisco SD-WAN vManage Software

Description

A critical vulnerability (CVE-2023-20214) has been discovered in the Cisco SD-WAN vManage software’s REST API authentication validation. The flaw is due to insufficient request validation in the REST API feature. This issue allows remote attackers to modify configurations without proper authentication, disrupt network operations, retrieve confidential information and to gain unauthorized access to critical configuration data. Cisco SD-WAN vManage software users must immediately install the fixes provided by Cisco, which have been issued to remedy the vulnerability. Since there are currently no known solutions, it is crucial that the given patches be installed in order to minimize the risk from threat actors.

Infected Technology

• Cisco SD-WAN vManage software

Source

https://cybersecuritynews.com/cisco-sd-wan-vmanage-flaw

Recommendation

• Implement access control lists (ACLs) to restrict access to only trusted IP addresses, preventing outside attackers from gaining unauthorized access. • Utilize API keys when accessing APIs for an extra layer of security. • Monitor logs for any suspicious activity related to the REST API. • Keep the system software up to date with the latest patches and releases.

CVE ID

CVE-2023-20214