Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week to cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
The US State Department is desperate to track down the operators of the Cl0p ransomware gang. Their most recent advisory states that a reward of up to $10 million will be offered to those willing to share data on Cl0p, or any other similar cybercriminal gangs. This “Reward for Justice” has been advertised in hopes of insiders coming forward with useful information; the department is aware that coming forward may prove dangerous for any insiders involved and has thus encouraged any information to shared be via encrypted messaging systems such as WhatsApp or Telegram.
Between June 2022 and May 2023 over 100,000 accounts for ChatGPT have been found on dark web marketplaces. This discovery made by Group-IB reported that information stealer malware logs containing ChatGPT accounts were being sold and that most logs containing ChatGPT accounts have been breached by the notorious Raccoon info stealer, followed by Vidar, and RedLine. Group-IB has explicitly stated that the logs are from commodity malware reporting credentials back to their operators and not from a data breach relating to ChatGPT. "Logs containing compromised information harvested by info stealers are actively traded on dark web marketplaces […] additional information about logs available on such markets includes the lists of domains found in the log as well as the information about the IP address of the compromised host," Group-IB said. It is recommended that users follow password best practices and secure their accounts with two-factor authentication to prevent account takeover attacks.
Microsoft has released a statement saying that the early June disruptions to its services, including Outlook, Teams, SharePoint Online, OneDrive and Azure Cloud Computing Platform, were the result of a distributed denial of service attack. While initially reluctant to publicise the cause of the disruptions they have since said that the hacktivist group “Anonymous Sudan” was to blame after they flooded Microsoft with junk traffic and claimed responsibility for its attack on its Telegram channel. Microsoft has since labelled this group as storm-1359, using a designator it assigns to groups whose affiliation it has not yet established however some security groups believe it to be of Russian Origin. Security Researcher Jake Williams stated “We know some resources were inaccessible for some, but not others. This often happens with DDoS of globally distributed systems,” Microsoft’s apparent unwillingness to provide an objective measure of customer impact “probably speaks to the magnitude.” The attack was sustained over a week-long period however services are now operational.
Google tweeted an alert to all WhatsApp users on Android devices to update the app due to a bug allowing access to the device's microphone. WhatsApp has admitted that the bug caused “erroneous” privacy indicators and notifications in the Android Privacy Dashboard. Affected users reported privacy concerns related to WhatsApp where the app was accessing the microphone even when the app was supposed to be inactive. This mainly affected Samsung and Pixel phones and microphone activity was visible through the green dot indicator which shows when the camera or microphone is in use.
Apple’s latest iOS security update is an important one, with fixes being released for remote code execution flaws that have been actively exploited in the wild. Apple has described these vulnerabilities as “memory corruption issues in the kernel and WebKit”, that allow an app to execute arbitrary code with kernel privileges.
These flaws were addressed in iOS 16.5.1, iOS 15.7.7, and iPadOS 15.7.7. Apple has attributed the discovery of the vulnerabilities to Kaspersky, who reported that the flaws were used by an APT attacker “launching zero-click iMessage exploits”.
A high-severity flaw was recently found in the Cisco Secure Client software, with Proof-of-Concept exploit code already publicly available. Successful exploitation of this vulnerability could allow an attacker to elevate privileges on the affected system.
This flaw was fixed in version 4.10MR7 of the AnyConnect Secure Mobility Client for Windows, and 5.0MR2 of the Cisco Secure Client for Windows.
We advise all users of the Cisco Secure Client or AnyConnect Client to update to the latest version as soon as possible.
And that’s it for this week’s round-up, please do check in next week for our new batch of security news and posts.
Stay Safe, Secure and Healthy!
Edition #240 – 23rd June 2023
Stuart Hare is a Technologist with a passion for helping people in all aspects of IT & Cyber Security. Stuart is the Founder of Ironshare, an Information and Cyber Security company providing consultancy and managed services.
Samuel is a Security Analyst with Ironshare, an Information and Cyber Security company providing Security consultancy and managed services.
Joshua is working as a Managed Service Lead with Ironshare, an Information and Cyber Security company providing Security consultancy and managed services.
Ironshare is a provider of Information and Cyber Security services.