Microsoft fixes two Windows 2 zero-days

Microsoft released its monthly Patch Tuesday security updates designed to fix nearly 40 security flaws in the Windows OS and other software, including two zero-day vulnerabilities exploited in the wild.

One of the zero-days is CVE-2023-29336, a buffer overflow issue within the Win32k driver, which can be abused by a local user for code execution with SYSTEM privileges. The issue affects systems running Windows 10 and Windows Server 2008, 2012, and 2016.

The second zero-day is CVE-2023-24932, a Secure Boot bypass in Windows. An attacker with physical access to the system or a local user with Administrative rights can bypass Secure Boot. According to reports, this vulnerability was used by a threat actor to install the BlackLotus UEFI bootkit.

In addition, the tech giant issued a new fix for the CVE-2023-23397 vulnerability in Outlook for Windows said to have been exploited by Russian hackers after security researchers discovered a way to bypass the patch. This zero-click bypass, referred to as CVE-2023-29324, impacts all supported versions of Windows.

US, partners take down Russian Turla’s “Snake” espionage network

The US and partners neutralized a covert peer-to-peer (P2P) network of computers infected with “Snake” malware used by Russia’s federal intelligence service for nearly 20 years to spy on the US and its allies.

The “Snake” cyber-espionage tool has been used by threat actors to steal sensitive documents from hundreds of computer systems in at least 50 countries, including those belonging to North Atlantic Treaty Organization (NATO) member governments, journalists, and other targets of interest to the Russian Federation.

The US government has officially attributed the malware to the Turla APT, a unit within Center 16 of the Federal Security Service of the Russian Federation (FSB).

US authorities seize 13 domains linked to “booter” services

The US Department of Justice seized 13 more domains linked to DDoS-for-Hire services also known as “booter” or “stresser” services. The seizures were part of an ongoing coordinated international law enforcement campaign (known as Operation PowerOFF) aimed at disrupting online platforms allowing anyone to launch massive distributed denial-of-service (DDoS) attacks against any target for a fee.

The DoJ also announced the takedown of 13 domains linked to Hezbollah and its affiliates.

Western Digital confirms hackers stole customer data in March breach

Data storage giant Western Digital confirmed hackers stole a database containing customer information during a March cyberattack.

The stolen data included customer names, billing and shipping addresses, email addresses and telephone numbers as well as hashed and salted passwords and partial credit card numbers (in encrypted format).

Intel BootGuard private keys leaked on dark web following MSI cyber heist

Intel is investigating reports that BootGuard private keys were leaked online following MSI's ransomware attack last month. The BootGuard keys from MSI are said to affect several device manufacturers, including Intel, Lenovo and Supermicro. A list of MSI products and other software signing keys compromised by the incident is available here.

British hacker PlugwalkJoe pleads guilty to 2020 Twitter hack

A UK citizen extradited to the US last month has admitted his involvement in variety of cyber crimes, including the 2020 Twitter hack, one of the biggest hacks in social media history that compromised numerous accounts of celebrities and politicians, including former US President Barack Obama and Microsoft’s Bill Gates. O'Connor pleaded guilty on May 9, 2023 in New York to hacking charges, including conspiracy to commit computer intrusion and two counts of committing computer intrusions, stalking, conspiracy to commit wire fraud and money laundering. He faces a total maximum sentence of over 70 years in prison.

Former Ubiquiti employee gets 6 years in prison for data theft and extortion

Nickolas Sharp, a former senior developer of Ubiquiti, was sentenced to six years in prison for stealing company confidential data and attempting to extort his employer.

In December 2020, Sharp used his access to the company’s Amazon Web Services (AWS) and GitHub servers and stole gigabytes of data. Posing as an anonymous hacker, he tried to extort his employer, demanding that Ubiquity pay 50 Bitcoin ($1.9 million at the time) for the information on the exploited vulnerability and for the stolen data to be deleted. All the while, Sharp himself was pretending to be working to remediate the security breach he created.

After the company refused to pay, Sharp contacted the media posing a whistleblower falsely claiming that the company was hacked by an unidentified perpetrator who maliciously acquired root administrator access its AWS accounts.

Sharp was arrested in March 2021, and pled guilty in February 2023. In addition to the prison sentence, Sharp was sentenced to three years of supervised release and ordered to pay restitution of $1,590,487 and to forfeit personal property used or intended to be used in connection with these offenses.

Spanish police dismantle Trinitarios cybercrime gang

The National Police of Spain arrested 40 individuals suspected of their involvement in the Trinitarios cybercrime gang specializing in phishing and bank fraud.

Among 40 people arrested were two hackers who carried out bank scams via phishing and smishing techniques and 15 suspected members of the “Trinitarios” group, who were charged with involvement in a criminal organization, bank fraud, document forgery, identity theft and money laundering.

“Greatness” phishing tool targets organizations via Microsoft 365 phishing pages

Cisco has warned of a new phishing-as-a-service (PaaS) tool called “Greatness” that has been used as part of several phishing campaigns since at least mid-2022.

Greatness incorporates features seen in some of the most advanced PaaS offerings, such as multi-factor authentication (MFA) bypass, IP filtering and integration with Telegram bots.

The service, for now, is only focused on Microsoft 365 phishing pages, providing its affiliates with an attachment and link builder that creates highly convincing decoy and login pages.

New CryptNet RaaS offers a 90% profit share from each successful attack

A new ransomware-as-a-service outfit called “CryptNet” is being advertised on the Russian language deep and dark web (DDW) forum RAMP. CryptNet is marketed as fast and fully undetectable with various capabilities and features, such as the ability to delete shadow copies and disable backup services, offline encryption, and a chat panel for negotiations.

The advertisement states that CryptNet will offer its affiliates a 90% profit share from each successful attack - one of the highest shares seen within the RaaS market, with affiliates typically receiving between 60% to 80% from most groups.

Iranian state-backed hackers join the list of threat actors targeting PaperCut vulns

Iran-based state-sponsored threat groups have joined an ongoing hacking spree targeting two recently fixed vulnerabilities in print management software PaperCut, widely used by government agencies, universities, and large companies worldwide.

Microsoft said that two hacking groups it tracks as Mint Sandstorm (previously known as Phosphorus) and Mango Sandstorm (aka Mercury) have been observed targeting vulnerable PaperCut MF/NG print management servers unpatched against the CVE-2023-27350 flaw that allows to execute arbitrary code with SYSTEM privileges.

Mint Sandstorm’s attacks appear to be opportunistic targeting, while Mango Sandstorm’s exploitation activity remains low, with operators using tools from previous campaigns to connect to their command and control infrastructure.

Mysterious Red Stinger APT caught spying on pro-Ukraine and pro-Russia targets in Ukraine

A new cyber-espionage group dubbed “Red Stinger” has been been spying on both pro-Ukraine targets in central Ukraine and pro-Russia targets in the regions of Donetsk and Luhansk in eastern Ukraine that have been occupied by Russia since 2014.

First spotted by Malwarebytes in September 2022, the group has been active since at least 2020 targeting entities in different regions of Ukraine, including military, transportation and critical infrastructure sectors.

Depending on the campaign, attackers managed to exfiltrate snapshots, USB drives, keyboard strokes, and microphone recordings.

Israel-based threat group launched more than 350 BEC attacks over past 2 years

Abnormal Security released a report on an Israel-based threat group that has conducted over 350 business email compromise (BEC) attacks since February 2021, targeting employees from 61 countries across six continents. The group’s targets primarily include large and multinational enterprises with an average annual revenue of over $10 billion.

The average amount requested in an attack by this group is $712,000, more than ten times the average BEC attack.

The attackers pose as targeted employee’s CEO. Then they pass the correspondence to a second external persona, whose job it is to coordinate the payment. In some cases the group asked to transition the conversation from email to a voice call via WhatsApp, both to expedite the attack and to minimize the trail of evidence.

Chinese police arrest ChatGPT user for generating fake news

Chinese authorities detained a man in the Gansu province in Northern China for allegedly using Open AI’s ChatGPT chatbot to write fake news article about a fatal train crash and spread them online. This appears to be the first arrest under the new AI regulation, which (among other restrictions) prohibit users from using artificial intelligence services to distribute “false information.”

The suspect was detained for “using artificial intelligence technology to concoct false and untrue information” and charged for “picking quarrels and provoking trouble,” a charge that could lead to a five-to-10-year prison term.