This week’s cybersecurity headlines highlight that ransomware actors are constantly evolving, and the shutting down of a few ransomware groups is certainly not an indicator of their overall submersion. To bring more clarity to this, here are the major cybersecurity headlines:
Two New Ransomware Strains in Town
Cybersecurity experts have recently discovered two new ransomware variants called Yashma and Nokoyawa. Yashma is a new variant of the Chaos ransomware and is also known as Chaos 4.0. It comes with two new features: the ability to disable running processes associated with backup or antivirus software; and stop execution based on the victim’s location. Chaos came into the picture in June 2021, and within just a year, it had launched six variants. Yashma, like the previous Chaos variants, is a file destroyer and doesn’t come with any decryption tool or file recovery instructions.
The Nokoyawa ransomware, on the other hand, resembles the Karma ransomware and has improved itself using publicly available codes. Most of its codes were copied from the Babuk ransomware code, which was leaked in September 2021. Its new features increase the number of files it can encrypt and require victims to contact attackers through a TOR browser and .onion URL.
The emergence of these two ransomware strains highlights a very important attack trend where adversaries do not seem to be demotivated even after the shutdown of ransomware giants like Conti. On the contrary, these attackers use publicly available source code to improve their malware strains by adding new capabilities.
Zyxel Releases an Advisory Warning of Four Flaws
Zyxel has recently published a cybersecurity advisory warning admins about several vulnerabilities targeting its firewall, AP controller, and AP products. While none of the vulnerabilities have been identified as critical, it is still important to get them patched as adversaries can easily exploit them. The Zyxel advisory lists four vulnerabilities: CVE-2022-0734, CVE-2022-26531, CVE-2022-26532, and CVE-2022-0910. CVE-2022-26532 is the only high-severity vulnerability (with a CVSS v3.1 score of 7.8). The rest are medium-severity flaws, with CVSS scores ranging from 5.8 to 6.5.
The following are the specifics of each of these flaws:
- CVE-2022-0734 is a cross-site scripting vulnerability affecting the CGI component. Exploiting this flaw enables adversaries to use a data-stealing script to snatch session tokens and cookies stored in the user’s browser.
- CVE-2022-26531 is an improper validation flaw affecting some CLI commands. Exploiting this flaw enables adversaries to cause a system crash or a buffer overflow.
- CVE-2022-26532 is a command injection flaw affecting some CLI commands. Exploiting this flaw enables adversaries to execute arbitrary OS commands.
- CVE-2022-0910 is an authentication bypass vulnerability affecting the CGI component. Exploiting this flaw enables adversaries to go from two-factor authentication to one-factor authentication using an IPsec VPN client.
These vulnerabilities affect USG/ZyWALL, ATP, USG FLEX, NSG firewalls, VPN, NXC2500, NXC5500 AP controllers, and other Access Point products. Fortunately, Zyxel has released patches to address these flaws, and requested admins get a hotfix from their local service representative for the AP controllers since the patches are not publicly available.
D.C. Attorney General Sues Zuckerberg Over Cambridge Analytica Scandal
The District of Columbia recently sued Meta CEO Mark Zuckerberg for his alleged role in the Cambridge Analytica privacy breach that affected millions of Facebook users and led to a major political and corporate scandal. D.C. Attorney General Karl Racine filed a civil lawsuit against Zuckerberg in the D.C. Superior Court, accusing him of directly participating in company cybersecurity decisions related to sharing users’ data. The lawsuit mentions that he was fully aware of the threats associated with sharing user information and went ahead with the permission despite this, leading to the scandal involving the data-mining firm Cambridge Analytica.
Cambridge Analytica breached information linked to over 87 million Facebook users without their permission and used it to manipulate the 2016 presidential elections. In the lawsuit, Racine asks for damages and penalties from Zuckerberg as he controls over 50% of Facebook’s voting shares and operations. The spokesperson of Meta (Facebook’s parent company) refused to comment on the issue. This wasn’t the first time Racine approached the D.C. Superior Court with a lawsuit against Zuckerberg and his involvement in the Facebook-Cambridge Analytica scandal. Time will reveal whether the court listens to Racine this time!
New Ransomware Group Alert
Cybersecurity researchers have recently identified a new ransomware group called RansomHouse, which exfiltrates data from organizations and offers to delete them even when you pay the ransom. First spotted in March 2022, RansomHouse has attacked four organizations so far. It does not use any ransomware and merely exploits vulnerabilities to conduct network infiltration. The Ransomhouse operators conduct data exfiltration and operate manually by targeting one victim at a time.
The group has three Telegram channels apart from Onion – the first channel is for announcements on new victims, the second for interacting with followers, and the third for journalists. The known victims of RansomHouse include a German airline support service provider and the Saskatchewan Liquor and Gaming Authority (SLGA). The ransomware gang does not take ownership of its attacks and rather blames victims for their poor ransomware protection measures. Going by this trait, security experts believe that the adversaries could be dissatisfied bug bounty hunters. At this point, RansomHouse doesn’t show the potential of becoming a successful threat actor, but taking precautions to avoid being attacked by it is still advisable.
Security Issues With PayPal’s Money Transfer Service
A cybersecurity researcher called h4x0r_dz recently discovered an unpatched vulnerability in PayPal’s money transfer service that lets adversaries trick victims into approving attacker-directed transactions with a single click. This technique is known as clickjacking or UI redressing and involves tricking unsuspecting users into clicking on seemingly harmless web page elements to download malware or redirect them to malicious sites, with the ultimate goal of compromising sensitive and confidential information assets. Hackers usually display an invisible page or HTML element on top of the visible (genuine) page.
In essence, the adversaries hijack clicks meant for the legitimate page and redirect users to another malicious page. The security researcher found the flaw on the “www.paypal[.]com/agreements/approve” endpoint and claimed it had already been reported to PayPal in October 2021. He said that the endpoint was dedicated to billing agreements and must only accept billingAgreementToken. However, adversaries can easily pass another token type by exploiting the flaw and stealing money from victims’ PayPal accounts. PayPal users must be careful when using the app as the bug remains unpatched.
Beware of Stealthy Skimmers
The attackers mainly use three hiding methods to make skimmers undetectable or stealthier. These include script spoofing, injection of the scripts in images, and string concatenation. While stealthy skimmers help adversaries go undetected and continue with their malicious way, they reduce the efficacy of the threat detection products that netizens rely on. This, in turn, increases the threat factor for users and pushes them further away from working in secure cyberspace. Therefore, admins are advised to use the latest versions of CMS and plugins and engage in active scanning and detection of threats. As a cybersecurity measure, users must rely on one-time-use private cards to safeguard their hard-earned money from being stolen.