Take a look at this week's Cyber Weekly Digest for a rundown of the biggest cyber security news from the week. In this digest we dive into some of the latest critical vulnerabilities being exploited by attackers as well as the three individuals arrest in Amsterdam after extorting €2.5 million. Keep reading to stay up to date on the latest cyber security news.
Three men were arrested by The Amsterdam cybercrime police team for ransomware activity that generated €2.5 million from extorting small and large organisations in multiple countries. The suspects, aged 18-21, are charged with stealing sensitive data from victim networks and demanding a ransom. It is believed that they attacked thousands of companies. Victims include online shops, software firms, social media companies, and institutions connected to critical infrastructure and services. The threat actors demanded between €100,000 and €700,000, depending on the size of the organisation they compromised. The extortion involved threats of leaking the data or destroying the company’s digital infrastructure. The Dutch police also stated that when the victims paid the ransom, the ransomware operators would still sell the stolen data online in some cases, to maximise profit. It is estimated that the hackers stole personal data belonging to tens of millions of individuals, including names, email addresses, telephone numbers, bank account numbers, credit card details, account passwords, license plates, and passport details. This information can be used in phishing and social engineering attacks, and various fraudulent activities.
PureCypter is a malware downloader that is being utilizsed by a threat actor to target government entities and has been seen delivering multiple information stealers and ransomware strains. Researchers have discovered that the threat actor used Discord to host the initial payload and compromised a non-profit organisation to store additional hosts used in the campaign. Researchers stated that, "The campaign was found to have delivered several types of malware including Redline Stealer, AgentTesla, Eternity, Blackmoon and Philadelphia Ransomware." Also, according to the researchers, the PureCrypter campaign targeted multiple government organisations in the Asia-Pacific (APAC) and North American regions. The attack chain begins with an email that has a Discord app URL pointing to a PureCrypter sample in a password-protected ZIP archive. PureCrypter is a .NET-based malware downloader first seen in the wild in March 2021. Its operator rents it to other cybercriminals to distribute various types of malware. It then obfuscates the ransomware/infostealer sample such as AgentTesla for further exploitation. AgentTestla has been abused by cybercriminals for the last eight years. It also uses XOR encryption to protect it’s communications with the C2 server, like its configuration files, from network traffic monitoring tools.
Two critical-severity vulnerabilities in the Houzez theme plugin for WordPress are actively being exploited by hackers. The two add-ons are primarily used in real estate websites. The Houzez theme is a premium theme that costs $69, offering easy listing management and a smooth customer experience. The vendor of Houzez claims that they serve over 35,000 customers in the real estate industry. The two vulnerabilities were discovered by Patchstack’s threat researcher Dave Jong and reported to the theme’s vendor, “ThemeForest,” with one flaw fixed in version 2.6.4 (August 2022) and the other in version 2.7.2 (November 2022). However, a new Patchstack report warns that some websites have not applied the security update, and threat actors actively exploit these older flaws in ongoing attacks. The first Houzez flaw is tracked as CVE-2023-26540 with a severity rating of 9.8 out of 10 in the CVSS v3.1 standard. It's a security misconfiguration impacting the Houzez Theme plugin version 2.7.1 and older and can be exploited remotely without requiring authentication to perform privilege escalation. The second flaw has received the identifier CVE-2023-26009, and it's also rated critical (CVSS v3.1: 9.8), impacting the Houzez Login Register plugin. The vulnerability allows unauthenticated attackers to perform privilege escalation on sites using the plugin.
CVE-2022-36537 has been added to the “Known Exploited Vulnerabilities Catalogue” by the US Cybersecurity & Infrastructure Security Agency (CISA) after threat actors began actively exploiting the remote code execution (RCE) flaw in attacks. The vulnerability is a high severity CVSS v3.1 score of 7.5 impacting the ZK Framework versions 9.6.1, 9.6.0.1, 9.5.1.3, 9.0.1.2 and 8.6.4.1, enabling attackers to access sensitive information by sending a specially crafted POST request to the AuUploader component. "ZK Framework AuUploader servlets contain an unspecified vulnerability that could allow an attacker to retrieve the content of a file located in the web context," mentions CISA's description of the flaw. The ZK framework is written in Java, it is an open-source Ajax Web app framework.
The Chinese cyberespionage group APT27, or “Iron Tiger”, has developed a new Linux version of its SysUpdate remote access malware, allowing them to target more services used in the enterprise. According to a new a report by researchers, the malware was first tested by the attackers in July 2022. However, only in October 2022 did multiple payloads begin circulating in the wild. Written in C++ using the Asio library, its functionality is very similar to Iron Tiger’s Windows variant of SysUpdate. The threat actor's interest in expanding the targeting scope to systems beyond Windows became evident last summer when SEKOIA and Trend Micro reported seeing APT27 targeting Linux and macOS systems using a new backdoor named "rshell”. The infection vector is still unknown, it is believed by some Trend Micro analysts that chat apps were used to trick employees into downloading initial infection payloads. The Linux variant of SysUpdate is an ELF executable and shares common network encryption keys and file-handling functions with its Windows counterpart.
Comments