Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week to cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
A number of GitHub accounts have been flagged for malicious activity, after they were discovered to be distributing malware disguised as proof-of-concept exploits for zero-days. The fake repositories claim to include PoC’s for zero-day flaws in Discord, Microsoft Exchange Server, and Google Chrome.
It appears that a lot of effort went into making these fraudulent accounts believable, with full profiles being constructed, all claiming to belong to High Sierra Cyber Security; a company that does not exist.
A list of all known malicious repositories can be found here, as well as the accounts of the perpetrators.
A Telegram bot has been found distributing the private data of vaccinated Indian citizens, which was reportedly stolen from the CoWIN vaccination tracking app. The bot, known as “hak4learn”, allegedly offers the personal data of a user in exchange for their phone number or Aadhaar national ID number. If the ID or number matches a record in the stolen database, the user receives their name, passport number, and date of birth in return. The app currently has more than 1 billion registered users, however the current leak is believed to include several hundred million records.
Local news outlets have tested the bot’s accuracy and were able to access the private information of multiple Indian politicians. The incident is currently being investigated by the Computer Emergency Response Team, but not much is known about how the data was leaked. We expect to see updates on this incident soon.
Enlisted, a free-to-play FPS game, has been the source of a ransomware operation targeting Russian players. Although free to play the game is banned in Russia under national bans on popular FPS titles forcing Russian players to seek illegitimate downloads. A ransomware gang has been using this opportunity to distribute infected copies of the game to install ransomware on computers. When users run the game's installer the Crypter python ransomware launcher gets executed and identifies directories and files to target which are then encrypted using AES-256 and receive the extension “.wncry”. The victim is left with a ransom note demanding them to chat with a Telegram bot, which will report a crypto wallet to send the ransom to in exchange for the decryption key.
During the leadup to the Russian invasion of Ukraine, multiple cyber attacks on the Ukrainian Government using WhisperGate left computer systems inoperable. The entity responsible has since been identified as Cadet Blizzard, a Russian APT. Reports say this APT commonly gains initial access through known vulnerabilities with web servers such as Microsoft Exchange. The APT then moves laterally to avoid detection, collect credentials, elevate privileges establish web shells to maintain persistence and ultimately steal data and infect devices with malware. Cadet Blizzard hasn't just limited its attack to Ukraine, it has attacked targets elsewhere in Europe, Central Asia, and even Latin America as well as targeting IT service providers and software supply chain manufacturers, NGOs, emergency services, and law enforcement. “Their goal is destruction, so organizations absolutely need to be equally worried about them, as they would with other actors, and take proactive measures like turning on cloud protections, reviewing authentication activity, and enabling multifactor authentication (MFA) to protect against them," comments Sherrod DeGrippo, director of threat intelligence strategy at Microsoft.
An ex-Samsung executive was recently arrested in South Korea on suspicion of stealing secret information relating to Samsungs chip technology. The former executive, who also worked as a vice president for SK Hynix, was accused of stealing the data to build a rival factory along with six other people, including an inspection company employee accused of leaking architectural plans of the Samsung chip factory. The plan failed due to funding issues in 2018. "We will sternly deal with any leakage of our technology abroad and strongly respond to illegal leak of domestic companies' core technologies in semiconductor, automobile, and shipbuilding sectors, among others," a national police official said in a statement.
UNC3886 is a group of Chinese cyberespionage spies, who’s most recent activity involves exploitation of a new VMware ESXi zero-day. This vulnerability, if exploited correctly, allows an attacker to elevate their privileges on guest VMs. The group has been seen stealing credentials and deploying backdoors on target VMware ESXi hosts, vCenter servers, and Windows VMs.
This flaw is currently flagged as ‘low severity’, as exploitation requires existing root access to an affected EXSi server. More details on this zero-day can be found here.
Welcome to our Round-Up of June’s Microsoft Patch Tuesday! This month’s batch of security updates includes fixes for 78 total vulnerabilities, 6 of which are considered critical. While none of the addressed flaws have been publicly disclosed, or exploited in the wild, there are some key updates that we recommend applying as soon as possible.
For more information on the critical vulnerabilities patched this month, please see our dedicated Patch Tuesday round-up.
And that’s it for this week’s round-up, please do check in next week for our new batch of security news and posts.
Stay Safe, Secure and Healthy!
Edition #239 – 16th June 2023
Stuart Hare is a Technologist with a passion for helping people in all aspects of IT & Cyber Security. Stuart is the Founder of Ironshare, an Information and Cyber Security company providing consultancy and managed services.
Samuel is a Security Analyst with Ironshare, an Information and Cyber Security company providing Security consultancy and managed services.
Joshua is working as a Managed Service Lead with Ironshare, an Information and Cyber Security company providing Security consultancy and managed services.
Ironshare is a provider of Information and Cyber Security services.