Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week to cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
A new ransomware operation, utilising the MalasLocker strain, has been seen targeting Zimbra servers with intent to “steal emails and encrypt files”. The first sighting of this operation in action was in March 2023, and since then there have been multiple reports of attacks on Zimbra forums. What makes these attacks unique is the unusual demands stated in the ransom note. The ransomware operators are demanding that their victims send their money to any non-profit charity that they approve of.
The ransom note states:
“Unlike traditional ransomware groups, we’re not asking you to send us money. We just dislike corporations and economic inequality.”.
The MalasLocker data leak site is currently home to the stolen data of more than 170 victims; the site’s homepage also displays their opposition of corporations as a clear driving factor for their operations.
By bleepingcomputer.com
Recent tension between Taiwan and China appears to have sparked an influx of cyber attacks. The Trellix Advanced Research Center covered this surge of attacks in a recent report, detailing a dramatic rise in malicious emails targeting Taiwan, and a 15x increase in detections of the PlugX remote access trojan. The primary goal of these attacks is to steal sensitive information and disrupt major sectors in the small island country.
Trellix also shared their thoughts on the situation, stating that “geopolitical conflicts are one of the main drivers for cyber attacks” over the last few years.
By thehackernews.com
Researchers have identified multiple methods attackers could use on Microsoft Teams to allow users to be phished or to deliver malware. Teams’ Tabs can point to applications, websites, and files however, an attacker could create a tab to a malicious website and name it as “files” and reposition it to the default teams’ file tab. This could potentially trick users especially since the URL is only presented to the user in the tabs settings menu. Alternatively, a hacker could simply point their tab to a malicious file. If the user is accessing Teams via the desktop or Web client, Teams will automatically download the file to the user's device. An attacker could also sabotage auto-generated meeting links in calendar invites to malicious ones through API calls, this would be hard to identify for people due to the length and almost random-seeming links generated for teams meetings.
Teams is often used as a platform to share sensitive information and documents, thus when an account is accessed by an attacker there is a risk of a data breach. “We have seen thousands of organizations experience Teams account takeover, which subsequently led to financial fraud, brand abuse, sabotage, data theft, and other risks. According to multiple studies, the average cost of an account takeover incident can cost thousands to millions of dollars” reported security researchers.
By darkreading.com
US-based marketer and distributor, Sysco, has announced that their systems were breached in March of 2023. While the full extent of the attack is still unknown, Sysco were able to confirm that the social security numbers of more than 126K employees (current and former) were exposed. The company confirmed that business operations were not impacted by the attack, and they are working with law enforcement to investigate the incident. All affected employees have been promised identity theft protection and credit monitoring services for the next two years.
By cybernews.com
Cisco has released patches for multiple critical vulnerabilities present in their small business switches. Although fixes have been made available, Cisco has expressed concern due to proof-of-concept exploits that have been made publicly available.
An attacker can exploit these flaws by sending specially crafted requests to the web interface, which can potentially lead to the execution of arbitrary code with root privileges It is also worth noting that this code execution does not require authentication.
Updates are now available for the following devices:
250 series smart switches
350 series managed switches
350X and 550X series stackable managed switches
Business 250 series smart switches
Business 350 series managed switches.
Please note that multiple vulnerable small business switches are end-of-life and, as a result, will not be receiving security fixes. We urge all users to apply the latest updates as soon as possible; those with end-of-life products should also consider upgrading to a newer, supported model.
By securityweek.com
Security researchers have discovered and disclosed a vulnerability in Essential Addons For Elementor, a popular WordPress Plugin with more than one million installations. This flaw, if exploited, could allow an attacker to reset the passwords of any accounts belonging to a site running this plugin. This is possible due to password reset requests not being validated properly with a password reset key. Attackers can easily enter a valid username, obtain a valid nonce value from the site and reset the user's password.
WordFence has also reported a significant increase in readme.txt probing attempts for Essential Addons for Elementor following the disclosure of the vulnerability. Their recent report states that they have blocked 6,900 attempted exploits concerning this vulnerability.
We recommended updating the Essential Addons For Elementor to 5.7.2 or later to stay protected from this attack.
By wordfence.com
And that’s it for this week’s round-up, please do check in next week for our new batch of security news and posts.
Stay Safe, Secure and Healthy!
Edition #235 – 19th May 2023
Stuart Hare is a Technologist with a passion for helping people in all aspects of IT & Cyber Security. Stuart is the Founder of Ironshare, an Information and Cyber Security company providing consultancy and managed services.
Samuel is a Security Analyst with Ironshare, an Information and Cyber Security company providing Security consultancy and managed services.
Joshua is working as a Managed Service Lead with Ironshare, an Information and Cyber Security company providing Security consultancy and managed services.
