Microsoft fixes zero-days abused by Russian hackers, ransomware actors

Microsoft released its March 2023 Patch Tuesday software updates meant to address more than 80 security issues, including two actively exploited zero-day vulnerabilities.

One of the zero-day flaws is CVE-2023-23397, a Microsoft Outlook elevation of privilege vulnerability that allows a remote attacker to compromise the vulnerable system. The flaw is said to have been exploited by the Russian state-backed hacker group Strontium (aka APT28, Fancy Bear) in attacks against a limited number of organizations in government, transportation, energy, and military sectors in Europe.

The second zero-day flaw, tracked as CVE-2023-24880, is a SmartScreen security feature bypass in Microsoft Windows, which could be exploited to bypass the Mark of the Web (MOTW) defenses. According to Google’s TAG team, this flaw has been exploited by the Magniber ransomware operation.

New FortiOS bug exploited in attacks targeting government orgs

Threat actors used a recently patched vulnerability in Fortinet FortiOS software in attacks aimed at government entities and government-related organizations with the likely goal to steal data. The zero-day vulnerability in question is CVE-2022-41328, a path traversal issue stemming from input validation error occurring when processing certain CLI command, which may allow a privileged attacker to read and write arbitrary files via crafted CLI commands. Cybersecurity firm Mandiant has linked the attacks to a China-nexus threat group it tracks as UNC3886.

Hackers stole nearly $200 million from DeFi lending protocol Euler Finance

Ethereum-based crypto lending protocol Euler Finance has fallen victim to a flash loan attack resulting in a loss of $196 million in crypto assets. The hack is estimated to be the largest crypto theft in 2023 so far. The attacker drained over $8.8 million in DAI, over $135.8 million in tokenized ether (stETH), more than $33.8 million in USDC and other altcoins reportedly using a weakness in the donateToReserves() function.

Police shut down crypto money laundering platform ChipMixer used by hackers and drug dealers

An international law enforcement effort took down the cryptocurrency platform ChipMixer used by criminals, including drug dealers and ransomware actors, as well as Russian and North Korean state-backed hacker groups.

The platform’s infrastructure was shut down on March 15, with the authorities seizing four servers and about 1909.4 Bitcoins (approx. 44.2 million euros).

Two 'ViLE' cybercrime gang members charged with a 2022 DEA hack

Two suspected members of the notorious “ViLE” cybercrime group have been charged for their involvement in a hack of the US Drug Enforcement Agency (DEA) portal and a Bangladeshi police official’s email account and blackmail attempts.

The suspects, Sagar Steven Singh (aka “Weep”) and Nicholas Ceraolo (aka “Convict” and “Ominous”), used stolen credentials to access the DEA portal containing detailed information, including nonpublic records of narcotics and currency seizures and intelligence reports. They then used the stolen data to extort subjects of the reports, threatening to leak their personal information.

Hackers leak data related to the development of Russian Sputnik V vaccine

A hacker group known as “KelvinSecurity” reportedly leaked hundreds of documents that allegedly contain information on the development of Russian Sputnik V COVID-19 vaccine, including data on deaths of participants in the vaccine's clinical trials. According to the group, the data came from “the review of the mailboxes of the developer company,” indicating a possible breach at the Gamaleya Research Institute.

The leaked dataset also includes classified documents containing information on the vaccine's development phases, funding, and quality, as well as some specific cases pertaining to clinical trials.

Microsoft says Russia targeted at least 17 European nations in 2023

Microsoft warns that Russian threat actors appear to be preparing a renewed wave of cyberattacks against Ukraine and possibly beyond, including a “ransomware-style” threat to organizations serving Ukraine’s supply lines. Ukraine is not the only country targeted by the Kremlin-backed hackers since the start of the war - the report shows that at least 17 European countries have been targeted in espionage campaigns in the first couple of months of 2023, and 74 countries have been targeted since the start of the war.

The 18-page report highlights Russian activity last year, mostly covering Iridium (aka Sandworm and Voodoo Bear) threat activity, including one of the group’s ransomware strains named RansomBoggs (aka Sullivan).

In related news, Wired published an interesting piece about Evgenii Serebriakov, the alleged new leader of the Sandworm APT.  According to Wired, Serebriakov was placed in charge of Sandworm in the spring of 2022 after serving as deputy commander of APT28 (aka Fancy Bear), another one of the GRU's cyber units.

Serebriakov along with six other GRU agents was indicted in 2018 after being caught in the midst of a close-range cyberespionage operation in the Netherlands that targeted the Organization for the Prohibition of Chemical Weapons in the Hague.

Russia-linked Winter Vivern APT targets government officials in India, Lithuania, Slovakia, and the Vatican

SentinelLabs released a report detailing the activities of Winter Vivern (UAC-0114), a threat actor “aligned with global objectives that support the interests of Belarus and Russia's governments.”

The recent Winter Vivern’s phishing campaigns have targeted Polish government agencies, the Ukraine Ministry of Foreign Affairs, the Italy Ministry of Foreign Affairs, individuals within the Indian government, as well as telecommunications organizations that support Ukraine in the ongoing war.

Russian cyber spies target govt agencies in EU that assist Ukraine

The Russia-linked threat actor Nobelium has been observed targeting diplomatic entities and government agencies in European Union countries that are aiding Ukrainian citizens and providing help to the country’s government.

The recent Nobelium’s campaign observed in March 2023 involved phishing emails purportedly sent by the European Commission and Poland’s Ministry of Foreign Affairs. The malicious emails contained a weaponized document with a link leading to the download of an HTML file. The weaponized URLs were hosted on a legitimate online library website based in El Salvador, which the threat actor is believed to have compromised between the end of January and the beginning of February.

Chinese and Russian cybercriminals are using new Silkloader malware to evade detection

A new report from Finnish cybersecurity company WithSecure details a new piece of malware called Silkloader designed to load Cobalt Strike onto infected systems. The malware has been observed in attacks conducted by Chinese and Russian cybercrime groups. Silkloader uses side-loading through the VLC media player to install Cobalt Strike beacons on infected hosts. The researchers say they spotted the malware in “several human-operated intrusions that resembled precursors to ransomware deployments.”

BianLian ransomware gang shifts focus on data-leak extortion

Cybersecurity firm Redacted has published a report on cyber activities of the BianLian ransomware operation. The company notes that after a free decryptor for the BianLian ransomware was released in January 2023 the group has changed tactics switching from ransoming encrypted files to focus more on data-leak extortion as a means to extract payments from victims. The gang have been attempting to amplify the effectiveness of extortion threats by tailoring the messages delivered to specific victims in an effort to increase the pressure felt by the organizations.

Rubrik says hackers stole data via GoAnywhere zero-day flaw

US-based cloud data management and data security company Rubrik has confirmed that its data was stolen using a zero-day vulnerability in the Fortra GoAnywhere secure file transfer protocol.

The affected data includes Rubrik internal sales information such as certain customer and partner company names, business contact information, and a limited number of purchase orders from Rubrik distributors. Sensitive personal data such as social security numbers, financial account numbers, or payment card numbers is said to have not been impacted in the breach.

Prometei botnet malware updated with new capabilities to complicate forensic analysis

A new version of a botnet malware called “Prometei” has been spotted that comes with the improved infrastructure components and capabilities that allow to automate processes and make forensic analysis more difficult. According to a new report from Cisco’s Talos threat research team, Prometei has infected more than 10,000 victims worldwide since November 2022, with a majority of the victims reported in Brazil, Indonesia, and Turkey.

Interestingly, the new version of the malware is designed to avoid attacking Russia, suggesting that the bot’s targeting may have been influenced by the war in Ukraine.

New GoBruteforcer malware targets phpMyAdmin, MySQL, FTP and Postgres servers

Researchers at Palo Alto Networks’s Unit 42 have discovered a new Go-based malware strain they dubbed GoBruteforcer that is being used to attack web servers running phpMyAdmin, MySQL, FTP and Postgres service.

GoBruteforcer uses brute-force techniques to compromise servers and ensnare them into a botnet. The malware is compatible with x86, x64, and ARM architectures.