Elevated attack rate expected to remain during 2023 as cybercrime becomes more sophisticated and widespread.
Related Posts
How MFA Failures are Fueling a 500% Surge in Ransomware Losses
How MFA Failures are Fueling a 500% Surge in Ransomware Losses
The cybersecurity threat landscape has witnessed a dramatic and alarming rise in the average ransomware payment, an increase exceeding 500%. Sophos, a global leader in cybersecurity, revealed in its annual “State of Ransomware 2024” report that the average ransom payment has increased 500% in the last year with organizations that paid a ransom reporting an average payment of $2 million, up from Read More
Hackers Using Money-Making Scripts to Deliver Multiple Malware
Hackers Using Money-Making Scripts to Deliver Multiple Malware
The FBI warned about attacks on government and non-profit organizations in April, which involved deploying multiple malware strains on victim devices.
Besides this, the attackers aim to achieve the following things:-
Mine resources
Steal data
Establish backdoor access to systems
Cybersecurity researchers at Securelist recently identified numerous malicious money-making scripts that hackers actively use to deliver multiple malware.
Since late 2022, under this campaign, security analysts detected the following things:-
Numerous scripts
Executables
Associated links
Document
FREE Demo
Deploy Advanced AI-Powered Email Security Solution
Implementing AI-Powered Email security solutions “Trustifi” can secure your business from today’s most dangerous email threats, such as Email Tracking, Blocking, Modifying, Phishing, Account Take Over, Business Email Compromise, Malware & Ransomware
Technical analysis
Following the April report on indicators of compromise, experts uncovered new malicious scripts in their August telemetry.
The following scripts appear to exploit vulnerabilities on servers and workstations to tamper with Windows Defender:-
runxm1.cmd
start.cmd
The start.cmd script aims to disable protection via the registry while runxm1.cmd script adds files to exceptions, obtains administrator rights, and renames security solution folders.
Here below, we have mentioned all the executable and configuration files that the scripts attempt to download from this domain:-
intelsvc.exe (A7CDE18F991E97037A7899B7669E2548)
View.exe (830debd1f6d39c726c2d3208e3314f44)
rtkaudio.exe/rtkaudio.txt (a6d4706baeb9ab97490d745f7a2bb11e)
config.txt (99634dcaca690066187e30c36182bf19)
Downloading files (Source – Securelist)
start.cmd initiates RtkAudio.exe using config.txt for Monero mining. Additional downloaded files include View.exe, executed to save various files in the C:UsersPublic directory.
Files saved by View.exe (Source – Securelist)
Analysis of the files reveals keylogger functionality in Systemfont.exe, while IntelSvc.exe acts as a typical backdoor, connecting to a C2 server for instructions.
Attack Geography
Researchers have noted over 10,000 attacks targeting 200+ users globally since May 2023, primarily affecting B2B sectors such as-
Government agencies
Agriculture
Retail
However, besides this, all these threats were primarily encountered in the following countries:-
Russian Federation
Saudi Arabia
Vietnam
Brazil
Romania
Threat actors are increasingly targeting the B2B sector, using initial crypto-miner infections as a gateway for more harmful attacks like backdoors and keyloggers.
To defend against these evolving threats, businesses must continuously enhance their security measures.
Indicators of Compromise
MD5
0BEFB96279DA248F6D49169E047EE7AB
769BC25454799805E83612F0F896E03F
B747AEDF0F3E4457C6D02BC5AF7C0980
0A50081A6CD37AEA0945C91DE91C5D97
1DA8E7C92C86FC8DBAB5287BDCA91CA1
3C47D45F09948B8E6FDB5F96523BC60B
5D3E2B2EE668B2BC071B8D4027C6B8F1
227FA5D690A943114FF3CCFE7977192A
A531FE822618B6A917D50BEE001C95A1
DDAB66730A84583B98D3415F9181D092
830debd1f6d39c726c2d3208e3314f44
3b2a270b90b3e24a25cc991df40da3ca
DDD12566B99343B96609AFA2524ECEC3
a6d4706baeb9ab97490d745f7a2bb11e
A7CDE18F991E97037A7899B7669E2548
AC27DE51896A5BA2FD0DDA9B7955A201
2ac1d8e16e47e97db3c60d728270ad5a
5919e4e3e06b617d967dc6e8fecb701b
8dcd1e4e37838b49214f10c50ef5a5f0
51ad216fcb4afe42b9ef01ab472a2914
df6f39d30dc5e9f4155514cdefb54620
b2e250b9e3b9d5e6b2080cb782f9698e
af9327d353b97fd50a777145bc0e8e1e
22f9682e543b94532d46541c63512f2d
1225f4f50154dd49d4853e4efc3ddf77
7d0f67343f128d29a50ccd3639b72884
752940da17469330c38ab98d04f3d6b8
11ca68ea3500cb03db1f4008d18cb6b2
b558fa064d0d3f94f5e4c975375cbad1
4cdbcfa0d6fd2e7de6ec0030cfb2322d
7e09279dcd3655ab1b2e2684746e4bc2
a38dece5bcb9f6d1c027d86e0318a60e
474f517eb23bdfa4c320c091c3eb2dba
f0881b3c3d1535685d6190df4083f515
61d5944634d735c3e6efc3b1349de740
99634dcaca690066187e30c36182bf19
Protect yourself from vulnerabilities using Patch Manager Plus to patch over 850 third-party applications quickly. Take advantage of the free trial to ensure 100% security.
The post Hackers Using Money-Making Scripts to Deliver Multiple Malware appeared first on Cyber Security News.
Cyber Security News
Top 10 Vulnerabilities That Were Exploited the Most In 2023
Top 10 Vulnerabilities That Were Exploited the Most In 2023
Several vulnerabilities have been identified and exploited by threat actors in the wild this year for several malicious purposes, such as Ransomware, cyber espionage, data theft, cyberterrorism, and many nation-state-sponsored activities.
Some vulnerabilities were added to the CISA’s Known Exploited Vulnerabilities catalog, marking them as extremely important to patch. Products belonging to several vendors, such as Microsoft, Citrix, Fortinet, Progress, and many others, were affected due to these vulnerabilities.
Some of the top vulnerabilities that were exploited this year are,
MOVEit Vulnerability (CVE-2023-34362)
Microsoft Outlook Privilege Escalation (CVE-2023-23397)
Fortinet FortiOS (CVE-2022-41328)
Windows Common Log File System Driver Privilege Escalation (CVE-2023-28252)
Barracuda Email Security Gateway Vulnerability (CVE-2023-2868)
Adobe ColdFusion (CVE-2023-26360)
Citrix Bleed Vulnerability (CVE 2023-4966)
Windows Smart Screen Bypass (CVE-2023-24880)
SugarCRM Remote Code Execution (CVE-2023-22952)
Progress MOVEit SQL Injection vulnerability
This vulnerability existed in Progress MOVEit Transfer versions before 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.0.1 (15.0.1) which were vulnerable to SQL injection attack.
An unauthenticated threat actor could exploit this vulnerability and gain access to MOVEit Transfer’s Database and perform malicious actions like altering or deleting the database elements.
This vulnerability was exploited in the wild in May and June 2023 by the CL0P ransomware group. The Severity for this vulnerability was given as 9.8 (Critical). Progress released patched versions for fixing this vulnerability alongside precautionary steps.
Microsoft Outlook Elevation of Privilege Vulnerability
This vulnerability existed in all versions of Outlook Clients, including Outlook for Android, iOS, Mac, and Windows users. A threat actor can exploit this vulnerability by sending a specially crafted mail, automatically triggering this exploitation.
Moreover, this is a zero-click vulnerability, as no user interaction is required to exploit this vulnerability. Successful exploitation of this vulnerability leaks the victim’s Net-NTLMv2 hashes, which can then be used to perform relay attacks on other systems and also authenticate the threat actor as the targeted user.
A Russia-based threat actor exploited this vulnerability to target government, transportation, energy, and military sectors in Europe. The severity for this vulnerability has been given as 9.8 (Critical).
Microsoft has released a patched version to address this vulnerability.
Path Traversal Vulnerability in Fortinet FortiOS
This vulnerability existed in multiple FortiOS versions, allowing a privileged threat actor to read and write arbitrary files through crafted CLI commands due to improper pathname validation to a restricted directory.
This vulnerability was found to be exploited by a Chinese cyberespionage group against governments. The severity of this vulnerability was given as 7.1 (High). Fortinet has released patched versions to fix this vulnerability.
CVE-2023-28858: Off-by-one Error in ChatGPT
This vulnerability existed in the redis-py of the ChatGPT version before 4.5.3, which allows a user to see someone else’s chat history if both users were active simultaneously. Moreover, OpenAI stated that there may have been an “unintentional visibility of payment-related information of 1.2% of the ChatGPT Plus subscribers who were active during the existence of this bug.”
OpenAI has patched this vulnerability swiftly upon being notified. The severity of this vulnerability was given as 3.7 (Low).
Windows Common Log File System Driver Privilege Escalation
This vulnerability allows a threat actor with access to the systems to run code with SYSTEM privileges. This exists in the clfs.sys driver which is defaultly installed on Windows 10 21H2, Windows 11 21H2 and Windows Server 20348 OSes.
The Nokoyawa ransomware group exploited this vulnerability to attack organizations in April 2023. The severity for this vulnerability was given as 7.8 (High). Microsoft has released patches to fix this vulnerability.
RCE in Barracuda Email Security Gateway
This vulnerability existed in Barracuda Email Security Gateway versions 5.1.3.001-9.2.0.006 due to improper sanitization in processing the .tar files. A threat actor could exploit this vulnerability and execute system commands with the product privileges.
This vulnerability was actively exploited by UNC4841, which works under the support of the People’s Republic of China for espionage and other activities. The severity for this vulnerability was given as 9.8 (Critical).
Barracuda Networks has released patches for this vulnerability.
Arbitrary code execution in Adobe ColdFusion
This vulnerability affects Adobe ColdFusion version 2018 Update 15 (and earlier) and 2021 Update 5 (and earlier), allowing threat actors to execute arbitrary code under the user’s context due to improper access control.
An unknown threat actor exploited this vulnerability in June and July 2023. The severity of this vulnerability was given as 9.8 (Critical). Adobe has released patches to fix this vulnerability.
Citrix Bleed Vulnerability
This vulnerability existed in multiple versions of Citrix NetScaler ADC and Gateway appliances, allowing threat actors to retrieve sensitive information on affected devices. The LockBit 3.0 Ransomware group actively exploited this vulnerability in November 2023.
The severity of this vulnerability was given as 7.5 (High). A publicly available exploit code exists for this vulnerability and several instances of exploitation were found. Citrix has released patches to fix this vulnerability.
CVE-2023-24880: Windows SmartScreen Security Feature Bypass Vulnerability
Threat actors can exploit this vulnerability by delivering malicious MSI files that bypass the Mark-of-the-Web (MOTW) warning, potentially deploying malware onto the system. This vulnerability was exploited by Magniber ransomware and Qakbot malware threat actors.
The severity of this vulnerability was given 4.4 (Medium). Moreover, this vulnerability bypassed a previously identified vulnerability on the Windows SmartScreen. Microsoft has released patches to fix this vulnerability.
CVE-2023-22952: Remote Code Execution Vulnerability in SugarCRM
This vulnerability exists in the Email templates of SugarCRM, which can be exploited by a threat actor with any user privilege using a specially crafted request. The threat actor can also inject a custom PHP code due to missing input validation.
The severity for this vulnerability was given as 8.8 (High). Many SugarCRM 11.0 and 12.0 products were affected by this vulnerability. However, SugarCRM has released patches to fix this vulnerability.
There were several critical vulnerabilities discovered this year, excluding the above list. Users of these products are recommended to upgrade to the latest versions to prevent these vulnerabilities from getting exploited by threat actors.
The post Top 10 Vulnerabilities That Were Exploited the Most In 2023 appeared first on Cyber Security News.
Cyber Security News