Keeping up with cybersecurity news has become necessary for organizations and experts to engage with the community and understand the mindset of threat actors and protect themselves better. Here are the top cybersecurity news pieces of the past week that caused a significant stir in the digital community.

 

No Authentication Patch for EoL routers, Says Cisco

Cisco’s logged a new zero-day bug in its multiple small business VPN (Virtual Private Network) routers. Cisco has clarified that its devices have reached EoL (End of Life), so the tech organization will not be patching the vulnerability.

Recorded as CVE-2022-20923, the zero-day vulnerability allows threat actors to log into the VPN service by crafting credentials and bypassing its faulty password validation mechanism. The significant exposure enables threat actors to obtain admin-level privileges depending upon the severity of the crafted credentials. To check if the threat actors can access IPSec VPN servers, individuals can log into the web interface and check if the “Server Enable” box is checked in Setup, indicating that the device is exposed to the zero-day exploit.

Cisco’s PSIRT (Product Security Incident Response Team) did not find proof of concept for the zero days or the presence of a threat actor. The organization will not release software patches to address the vulnerability. Cisco has urged its clientele using the legacy RV110W, RV130, RV130W, and RV215W routers to upgrade to Cisco Small Business routers.

 

Cobalt Strike Servers Flooded with Anti-Russia Messages

The servers of Cobalt Strike were flooded with anti-Russia messages to disrupt the cybercriminal group’s activities. The C2 TeamServers utilized by members of Cobalt Strike received anti-Russian messages that included statements such as, “Stop the war!” and “15000+ dead Russian soldiers!” “Stop Putin!” and more.

Conti Ransomware group closed its internal infrastructure in May 2022. However, the ransomware group’s members joined other cybercriminal groups such as Quantum and Hive. Some group members still utilize the Cobalt Strike infrastructure for ransomware operations. Advanced Intelligence’s CEO, Vitali Kremez, believes the actor behind the attack on ex-Cobalt strike members targeted at least four servers, flooding them with a message frequency of 2 seconds, overloading the TeamServer’s Java application, and causing a DoS (Denial of Service) condition. The actor behind the attack is still unknown, but Kremez believes other ex-members of the Conti ransomware group are behind it, flooding each new server as it is discovered.

The attack has disrupted the ransomware gangs’ malicious activities. A similar attack was also suffered by LockBit, who then shut down its leak strikes and blamed Entrust for the attack.

 

SharkBot Malware Strikes Google Play Once More

The SharkBot malware struck Google’s Play Store again, this time with a fresh and upgraded version targeting the login credentials of banking applications of Android users.

SharkBot’s upgraded malware technique is a sophisticated approach where the threat actors deployed two Android applications, “Mister Phone Cleaner” and “Kylhavy Mobile Security,” with no malicious codes to pass Google’s automatic review. In subsequent updates, the applications downloaded and installed SharkBot on the victim’s phones. The two applications were installed on over 60,000 devices. The previous version of SharkBot could perform overlay attacks and espionage, steal information via keylogging, and allow the threat actors to assume remote control of the affected devices. The fresh and “dropper” version of SharkBot utilizes a C2 (Command and Control) approach to download the malware and contains all the prior version’s features, with the addition of a cookie logger to take over victim accounts.

SharkBot’s evolution and a different approach to affecting devices are highly dangerous, and victims should practice caution and remove the applications manually.

 

Samsung Confirmed Data Breach of US Systems

Samsung released a customer information notice on 2 September 2022, informing its customers of a data breach of its US systems. Samsung detected the incident that resulted in data exfiltration of personal information from its US systems.

Samsung released the advisory highlighting that the organization is collaborating with a leading cybersecurity firm and law enforcement as part of its ongoing investigation of the data breach. The leaked information varies with each affected customer. The leaked information included the names of Samsung’s customers, their contacts, demographics, date of birth, and information regarding product registrations. Still, Samsung has clarified that there was no loss of social security numbers or credit card numbers during the data breach.

The data breach occurred in July and is the second one that the organization has confirmed in 2022, the first one being the LAPSUS$ breach for data extortion in March. Samsung has urged its clientele to remain cautious of communications that ask about confidential information, phishing links, and unsolicited attachments.

 

Chile Government Hit with New Ransomware

The Chilean government was the victim of a ransomware attack that impacted the operations and online services of CSIRT (Chile National Computer Security and Incident Response Team).

The threat actors halted the operations of all virtual machines and encrypted the files by appending the “.crypt” extensions. CSIRT explained how the ransomware used NTRUEncrypt public key encryptions to target log, executable, dynamic library, swap, snapshot, and virtual machine files. From its discovery in late August, the malware, dubbed as RedAlert or N13V, encrypted both Windows and Linux VMWare ESXi servers and had functions to steal credentials from web browsers. It evaded antivirus detection by utilizing execution timeouts and could list removable media for encryption.

Chile’s CSIRT could not identify the cybercriminal group responsible for N13V as a similar technique of appending extensions is observed in the behavior of multiple threat actors. Another interesting fact is that the ransom note appeared before the final payload delivery to avoid leakage of contact details and evasive techniques.

 

Data Leak at IRS Exposed 120,000 Taxpayers

Confidential information of 120,000 taxpayers who filled the 990-T form of the IRS (Internal Revenue Service) was recently leaked. The IRS form is usually used to report unrelated business income to nonprofits, IRAs (Individual Retirement Accounts), SEPs (Simplified Employee Pensions), or other tax-exempt entities. The income originates from transactions that do not relate to the nonprofit’s primary purpose.

The news came as a stunner with the IRS’s statement on 2 September 2022 highlighting the facts about machine-readable XML (Extensible Markup Language) Form 990-T data leaked from the bulk download sections of the website, IRS[.]gov. IRS claims it took immediate action in removing the download files and is set to work with groups to routinely check for such errors and replace all correct data soon.

The IRS clarifies that some of the data not subject to public disclosure ended up in the leak. The social security numbers, detailed contact information, or individual income tax return details were not leaked. However, some personal names and business contact information did get out. The incident is still under review by the IRS.

Pin It on Pinterest

Share This