fbpx

InForce Cyber

Threat Report October 2022

  1. Google Issues Urgent Chrome Update to Patch Actively Exploited Zero-Day Vulnerability

Google on Thursday rolled out emergency fixes to contain an actively exploited zero-day flaw in its Chrome web browser. The vulnerability, tracked as CVE-2022-3723, has been described as a type of confusion flaw in the V8 JavaScript engine. Security researchers Jan Vojtěšek, Milánek, and Przemek Gmerek of Avast have been credited with reporting the flaw on October 25, 2022.“ Google is aware of reports that an exploit for CVE-2022-3723 exists in the wild,“ the internet giant acknowledged in an advisory without getting into more specifics about the nature of the attacks.CVE-2022-3723 is the third actively exploited type of confusion bug in V8 this year after CVE-2022-1096 and CVE-2022-1364.

Figure 1. Definition of Zero-Day vulnerability
    1. Raspberry Robin Operators Selling Cybercriminals Access to Thousands of Endpoints

    The Raspberry Robin worm is becoming an access-as-a-service malware for deploying other payloads, including IcedID, Bumblebee, TrueBot (aka Silence), and Clop ransomware. It is „part of a complex and interconnected malware ecosystem, with links to other malware families and alternate infection methods beyond its original USB drive spread,“ the Microsoft Security Threat Intelligence Center (MSTIC) said in a detailed write-up.

    Raspberry Robin, also called QNAP Worm owing to the use of compromised QNAP storage servers for command-and-control, is the name given to a malware by cybersecurity company Red Canary that spreads to Windows systems through infected USB drives.

    MSTIC is keeping tabs on the activity group behind the USB-based Raspberry Robin infections as DEV-0856, adding it’s aware of at least four confirmed entry points that all have the reasonable end goal of deploying ransomware.

    1. British Hacker Charged for Operating „The Real Deal“ Dark Web Marketplace

    A 34-year-old U.K. national has been prosecuted in the U.S. for operating a dark web marketplace called The Real Deal that sells hacking tools and stolen login credentials.

    Daniel Kaye, who went by a litany of pseudonyms, Popopret, Bestbuy, UserL0ser, and Spdrman, has been charged with five counts of access device fraud and one count of money laundering conspiracy. Kaye was indicted in April 2021 and subsequently consented to his extradition from Cyprus to the U.S. in September 2022.“ While living overseas, this defendant allegedly operated an illegal website that made hacking tools and login credentials available for purchase, including those for U.S. government agencies,“ said U.S. Attorney Ryan K. Buchanan.

    Court documents show that The Real Deal, until its shutdown in 2016, functioned as a market for illicit items, including stolen account logins for U.S. government computers, bank accounts, and social media platforms such as Twitter and LinkedIn.Also peddled through the portal were plundered credit card information, personal data, botnets, hacking tools, illegal drugs, and weapons listed for sale by vendors, who had profile pages that offered an option to rank them. Some of the U.S. government computers whose credentials were allegedly sold by Kaye belong to the U.S. Postal Service, the National Oceanic and Atmospheric Administration, the Centers for Disease Control and Prevention, the National Aeronautics and Space Administration, and the U.S. Navy.

    1. Hackers Started Exploiting Critical „Text4Shell“ Apache Commons Text Vulnerability

    WordPress security company Wordfence on Thursday said it started detecting exploitation attempts targeting the newly disclosed flaw in Apache Commons Text on October 18, 2022. The vulnerability, tracked as CVE-2022-42889 aka Text4Shell, has been assigned a severity ranking of 9.8 out of a possible 10.0 on the CVSS scale and affects versions 1.5 through 1.9 of the library.

    It’s also similar to the now infamous Log4Shell vulnerability in that the issue is rooted in the manner string substitutions carried out during DNS, script, and URL lookups could lead to the execution of arbitrary code on susceptible systems when passing untrusted input.

    1. Hackers Using New Version of FurBall Android Malware to Spy on Iranian Citizens

    The Iranian threat actor known as Domestic Kitten has been attributed to a new mobile campaign that masquerades as a translation app to distribute an updated variant of an Android malware known as FurBall.

    „Since June 2021, it has been distributed as a translation app via a copycat of an Iranian website that provides translated articles, journals, and books,“ ESET researcher Lukas Stefanko said in a report shared with The Hacker News. The updates, while retaining the same surveillance functionality as earlier versions, are designed to evade detection by security solutions, the Slovak cybersecurity firm added. Domestic Kitten, also called APT-C-50, is an Iranian threat activity cluster that has been previously identified as targeting individuals of interest with the goal of harvesting sensitive information from compromised mobile devices. It’s been known to be active since at least 2016.

    1. Brazilian Police Arrest Suspected Member of Lapsus$ Hacking Group

    The Federal Police of Brazil on Wednesday announced it had arrested an individual for purported links to the notorious LAPSUS$ extortionist gang. The arrest was made as part of a new law enforcement effort, dubbed Operation Dark Cloud, that was launched in August 2022, the agency noted. Little is known about the suspect other than that the person could be a teenager. The Polícia Federal said it commenced its investigation in December 2021 following an attack on websites under Brazil’s Ministry of Health, resulting in the alleged exfiltration of 50 T.B. of data and temporary unavailability of COVID-19 vaccination information of millions of citizens. Other federal government portals targeted by the LAPSUS$ group in Brazil include the Ministry of Economy, the Comptroller General of the Union, and the Federal Highway Police.

    1. European Police Arrest a Gang That Hacked Wireless Key Fobs to Steal Cars

    In collaboration with Spain and Latvia, law enforcement authorities in France have disrupted a cybercrime ring that leveraged a hacking tool to steal cars without using a physical key fob.“The criminals targeted vehicles with keyless entry and start systems, exploiting the technology to get into the car and drive away,“ Europol said in a press statement. The coordinated operation, which took place on October 10, 2022, resulted in the arrest of 31 suspects from across 22 locations in the three nations, including software developers, its resellers, and the car thieves who used the tool to break into vehicles. Also confiscated by the officials as part of the arrests were criminal assets worth €1,098,500, not to mention an internet domain that allegedly advertised the service online. Per Europol, the criminals are said to have singled out keyless vehicles from two unnamed French car manufacturers. The perpetrators used the fraudulent package to replace the original software by marketing it as an „automotive diagnostic solution.“

    1. INTERPOL-led Operation Takes Down ‘Black Axe’ Cyber Crime Organization

    The International Criminal Police Organization, also called the Interpol, has announced the arrests of 75 individuals as part of a coordinated global operation against an organized cybercrime syndicate Black Axe.

    „‘Black Axe’ and other West African organized crime groups have developed transnational networks, defrauding victims of millions while channeling their profits into lavish lifestyles and other criminal activities, from drug trafficking to sexual exploitation,“ the agency said. The law enforcement effort, codenamed Operation Jackal, involved the participation of Argentina, Australia, Côte d’Ivoire, France, Germany, Ireland, Italy, Malaysia, Nigeria, Spain, South Africa, the U.A.E., the U.K., and the U.S.

    1. New Phishing-as-a-Service Being Used by Cyber Criminals

    Cybercriminals use a previously undocumented phishing-as-a-service (PhaaS) toolkit called Caffeine to scale up their attacks and distribute nefarious payloads effectively. „This platform has an intuitive interface and comes at a relatively low cost while providing a multitude of features and tools to its criminal clients to orchestrate and automate core elements of their phishing campaigns,“ Mandiant said in a new report. Some of the core features offered by the platform comprise the ability to craft customized phishing kits, manage redirect pages, dynamically generate URLs that host the payloads, and track the success of the campaigns.

     

Figure 2. Graphical Representation of Phishing as a Service
  1. Omnicell Healthcare Company Confirms Ransomware Incident

In a US SEC (Securities and Exchange Commission) 8-K filing, Omnicell, the healthcare technology provider, revealed that some of its products, services, and internal systems were affected by ransomware. Upon detecting the incident, the medication management systems provider took immediate action to contain the attack and ensure continued operation. In its 10-Q form filing, Omnicell disclosed that cyber-attacks or data breaches disrupted its business. Will you be the next victim? If you overlook the importance of data protection, attackers can get you in no time. Explore the impact of the data breach on the healthcare sector and what preventive measures can be taken against such attacks.

Here’s the top 10 list of C.V.E.s released by Microsoft for August 2022:

 

Rank

CVSS Score

C.V.E.

Description

Important

7.8

CVE-202241033

Windows COM+ Event System Service Elevation of Privilege Vulnerability

Important

7.1

CVE-202238042

Active Directory Domain Services Elevation of Privilege Vulnerability

Critical

8.8

CVE-202237976

Active Directory Certificate Services Elevation of Privilege Vulnerability

Critical

10

CVE-202237968

Azure Arc-enabled Kubernetes cluster Connect Elevation of Privilege Vulnerability

Critical

7.8

CVE-202238048

Microsoft Office Remote Code Execution Vulnerability

Critical

8.1

CVE-202230198

Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability

Critical

8.1

CVE-202224504

Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability

Critical

8.1

CVE-202233634

Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability

Critical

8.1

CVE-202222035

Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability

Critical

8.1

CVE-202238047

Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability

 

Figure 3. Breakdown of products affected by October 2022 Patch Tuesday