Google fixes two Chrome zero-days in one week

Google released security updates for its Chrome browser for Windows, macOS, and Linux to address to zero-day flaws that have been exploited in hacker attacks.

The two zero-days are CVE-2023-2033 and CVE-2023-2136. The first one is a type confusion issue within the V8 engine that could lead to remote code execution, and the second is described as an integer overflow issue that resides in Skia component in Google Chrome. A remote attacker can trick the victim to open a specially crafted web page, trigger an integer overflow and execute arbitrary code on the target system.

Fortra shares details on GoAnywhere MFT zero-day exploited in ransomware attacks

Fortra, a company behind GoAnywhere MFT (Managed File Transfer) protocol, published a report detailing findings of the investigation into the exploitation of CVE-2023-0669, a zero-day flaw in GoAnywhere MFT that the Cl0p ransomware actors exploited to steal data from over a hundred companies.

The company says that threat actors leveraged CVE-2023-0669 to create unauthorized user accounts in some MFTaaS customer environments and install “Netcat” and “Errors.jsp” tools between January 28, 2023 and January 31, 2023. The threat actor was not able to install both tools in every customer environment, and neither tool was consistently installed in every environment.

3CX hack caused by another supply chain attack

A suspected North Korean supply-chain attack on customers of the enterprise phone company 3CX began with another supply-chain attack via a third party. Mandiant says it identified that the initial compromise vector of 3CX’s network was via malicious software downloaded from Trading Technologies website. The company says it was the first time it has seen a software supply chain attack lead to another software supply chain attack.

In this case, the attackers used their access to a Trading Technologies platform to gain access to 3CX’s network, where they then modified desktop apps in order to compromise the networks of 3CX’s customers.

$23M worth of crypto assets drained from Bitrue’s hot wallet

Singapore-based cryptocurrency exchange Bitrue suffered a hack last week that saw $23 million worth in digital assets stolen from its hot wallet. The attack was spotted on April 14, 2023, when the company identified a “brief exploit” in one of its hot wallets. The breach led to the theft of around $23 million in various cryptocurrencies, including Ether and Shiba Inu.

The company said that the affected hot wallet only contained less than 5% of its overall reserves, and that the rest of its wallets were not impacted.

Russian cyber spies targeted entities in Europe, US and Ukraine via flaws in Cisco routers

The US and UK cybersecurity authorities released a joint advisory highlighting attacks on Cisco routers orchestrated by Russian military hacker group APT28. The threat actor exploited Cisco router vulnerabilities throughout 2021, targeting entities in Europe, US government institutions and approximately 250 Ukrainian victims.

The group has used two attack methods to access routers, one of which involved the use of default and weak SNMP community strings, and the other exploited the CVE-2017-6742 remote code execution vulnerability in Cisco IOS patched by the vendor in 2017. In some cases APT28 used an SNMP exploit to deploy the Jaguar Tooth malware that collected device information and provided unauthenticated access via a backdoor.

Google: Ukraine remains Russia’s biggest cyber focus in 2023

Ukraine was the target of nearly 60% of phishing attacks by Russian state-backed hackers in Q1 2023, a new report from Google’s TAG team says. In most cases, the phishing campaigns were aimed at intelligence collection, operational disruptions, and leaking sensitive data through Telegram channels dedicated to causing information damage to Ukraine.

The report details cyber activities of three Russian and Belarusian threat actors, heavily focused on targeting Ukraine - FROZENBARENTS (aka Sandworm), FROZENLAKE (aka APT28), and PUSHCHA (a Belarusian threat actor) - observed over the past few months.

Daggerfly APT targets African telecoms service providers

Researchers from the Threat Hunter Team at Symantec discovered a new cyber-espionage campaign by a China-linked threat actor Daggerfly (aka Evasive Panda, Bronze Highland) that has been targeted telecommunications companies in Africa since November 2022.

The attackers were observed using the MgBot modular malware framework and a PlugX loader  delivered via the legitimate AnyDesk remote desktop software.

Iranian Mint Sandstorm APT weaponizes N-day vulnerabilities

Iran-affiliated state-backed threat actor Mint Sandstorm (aka Phosphorus, APT35, APT42, Charming Kitten and TA453), has been linked to a series of cyberattacks aimed at critical infrastructure in the US between late 2021 to mid-2022.

Microsoft’s report highlights the threat actor’s ability to develop and deploy sophisticated phishing campaigns designed to breach specific systems and quickly weaponize publicly disclosed PoCs for exploiting vulnerabilities in internet-facing applications like CVE-2022-47966 (Zoho ManageEngine products) and CVE-2022-47986 (IBM Aspera Faspex) into their playbook for gaining initial access and maintaining it.

Microsoft shifts to weather-themed names to classify hacking groups

Microsoft announced it is switching from a taxonomy based on chemical elements to a new scheme based on weather themes, which will offer a more organized, memorable, and easy way to reference adversary groups.

According to the new classification, threat groups now will be named after events like storms, typhoons, and blizzards. Microsoft categorizes threat actors into five key groups: nation-state hackers, financially motivated groups (Tempest), private sector offensive actors (Tsunami), influence operations (Flood), and groups in development (Storm).

NSO's Pegasus spyware uses 3 zero-click iOS exploit to hack iPhones

Israeli spyware vendor NSO Group deployed at least three new “zero-click” exploits (PWNYOURHOME, FINDMYPWN, LATENTIMAGE) against iPhones last year in attacks targeting Mexican human rights defenders. The attacks targeted phones running iOS 15 and early versions of iOS 16 operating software.

Israeli spyware vendor QuaDream reportedly shuts down operations

Israel-based spyware maker QuaDream, mostly known as a developer of a zero-click iPhone hacking program, is allegedly shutting down its operations and are looking to sell its intellectual property.

The development comes after Microsoft and the internet watchdog Citizen Lab released two separate reports detailing an iOS zero-click exploit they dubbed “ENDOFDAYS” (Microsoft tracks it as “KingsPawn”), which has been used against journalists, opposition figures and advocacy organizations across at least 10 countries, including people in North America and Europe. The exploit appears to abuse invisible iCloud calendar invitations sent from the spyware’s operator to victims.

Decommissioned routers expose sensitive corporate data

A new research conducted by ESET found that 56% of decommissioned old business routers disposed of and sold on the secondary market contained sensitive data, including corporate credentials, VPN details, cryptographic keys, and more.

Of the nine networks that had complete configuration data available 22% contained customer data, 33% exposed data allowing third-party connections to the network, 44% had credentials for connecting to other networks as a trusted party, 89% itemized connection details for specific applications, 89% contained router-to-router authentication keys, and all of them contained one or more of IPsec or VPN credentials, or hashed root passwords and had enough information to reliably identify the former owner/operator.