Cyber Round-up for 29th April
Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week and year to cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
A RIG Exploit Kit campaign has been discovered recently, which appears to be exploiting a Memory Corruption vulnerability in Internet Explorer to deliver the RedLine Stealer malware. RedLine Stealer has been described as “a low-cost password stealer sold on underground forums” and allows an attacker to perform reconnaissance on the target system and extract data such as passwords, payment card information and crypto wallets. As always, we recommend keeping up to date with patches to ensure you are not at risk from known vulnerabilities.
This month, Cloudflare systems detected a HTTPS DDoS attack sending 15.3 million requests-per-second; this is the largest HTTPS DDoS attack ever recorded, and Cloudflare managed to successfully block it. The attack targeted one of their customers and lasted around 15 seconds before being blocked automatically by Cloudflare’s autonomous detection and mitigation systems. The ability to block attacks of this scale without human interaction is very impressive and shows Cloudflare’s true intention to build a better internet.
Recent activity from Emotet has been detected by Proofpoint, who have observed new delivery techniques being tested. This activity was scarce and only a few emails were detected, however they did appear to use different methods. The emails were very simple and contained zip files hosted on OneDrive; the subject was often one word such as “Salary” and was sent from a compromised account. While current Emotet activity is relatively low volume, we still advise looking out for potential indicators.
IOCs for the recent campaign can be found here, as well as more details for those interested in the new techniques.
T-Mobile is the latest company to be hit by the relentless hacker group LAPSUS$. It was reported that stolen credentials were used to access internal systems potentially allowing LAPSUS$ to freely conduct SIM swapping attacks. T-Mobile stated, “The systems accessed contained no customer or government information or other similarly sensitive information, and we have no evidence that the intruder was able to obtain anything of value” however leaked chats reveal that T-Mobile’s Slack and Bitbucket accounts were compromised, and 30,000 source code repositories were stolen. This is yet another attack by LAPSUS$ on a high-profile organisation; Impresa, NVIDIA, Samsung, Vodafone, Ubisoft, Microsoft, Okta, and Globant were all previous victims of the groups exploits.
The FBI has published a report stating that at least 60 organisations worldwide have been hit by the BlackCat ransomware since November 2021. BlackCat has been seen targeting Windows, Linux and VMWare ESXI systems, while issuing ransom payments ranging from a few hundred thousand to three million dollars.
The FBI report, which you can find here, contains details on the nature of the attack, as well as indicators of compromise you should be aware of.
Vulnerabilities & Updates
A collection of vulnerabilities, being tracked as Nimbuspwn, reportedly allow local attackers to gain root privileges on Linux systems; this could lead to the deployment of malware and could even be utilised in ransomware attacks. These flaws exist in networkd-dispatcher, the component responsible for connection status changes, and have been identified as directory traversal, symlink race, and time-of-check-time-of-use vulnerabilities. There is currently no fix for Nimbuspwn, however we advise all Linux users to keep an eye out for the next patch and update their systems as soon as possible.
More details on these vulnerabilities can be found here.
Project Zero, Google’s security research team, was reported to have discovered vulnerabilities in iMessage and iOS sandbox in 2021. The iMessage vulnerability hasn’t been publicly disclosed and information surrounding it has been kept secret, but the vulnerability is thought to be “an impressive work of art” and the “most technically sophisticated exploit” Project Zero has ever seen. This comes as no surprise since it was reported that the flaw was used in the NSO Pegasus Spyware for “zero-click” exploitation.
The second vulnerability was found in the iOS sandbox feature and reportedly stops third-party applications from being able to read other application data and making changes to the device. The vulnerability was a sandbox escape that allows a third-party application access to greater rights than it was given and to freely access data stored on the device and change device configurations.
And that’s it for this week’s round-up, please do check in next week for our new batch of security news and posts.
Stay Safe, Secure and Healthy!
Edition #187 – 29th April 2022
Why not follow us on social media:
Ironshare – Security Simplified